Unverified Ownership Affecting deno package, versions >=1.39.0 <1.39.1


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.04% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-DENO-6420589
  • published10 Mar 2024
  • disclosed6 Mar 2024
  • creditleesh3288

Introduced: 6 Mar 2024

CVE-2024-27933  (opens in a new tab)
CWE-283  (opens in a new tab)

How to fix?

Upgrade deno to version 1.39.1 or higher.

Overview

deno is an a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust.

Affected versions of this package are vulnerable to Unverified Ownership due to the use of raw file descriptors in op_node_ipc_pipe(), which leads to the premature closure of arbitrary file descriptors. This allows standard input to be closed and re-opened as a different resource, enabling a silent permission prompt bypass. An attacker controlling the code executed inside a Deno runtime can achieve arbitrary code execution on the host machine regardless of permissions.

This is made more exploitable by widening the race window between clear_stdin() and the subsequent stdin_lock.read_line(), especially when requesting a resource with a very long name to delay the prompt, allowing another Worker to close fd 0 and open a resource starting with an A\n within the race window. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.

CVSS Scores

version 3.1