Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-28445

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. As a workaround, run with `--v8-flags=--no-harmony-rab-gsab` to disable resizable ArrayBuffers.

Published

2023-03-24T00:15:15.653

Last Modified

2024-11-21T07:55:05.587

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.9 (CRITICAL)

Weaknesses

Type: Secondary
CWE-125
CWE-787

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	deno	deno	1.32.0	Yes
Application	deno	deno_runtime	0.102.0	Yes
Application	deno	serde_v8	0.87.0	Yes

References

https://github.com/denoland/deno/pull/18395 Patch, Vendor Advisory ([email protected])
https://github.com/denoland/deno/releases/tag/v1.32.1 Patch, Release Notes ([email protected])
https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx Mitigation, Vendor Advisory ([email protected])
https://github.com/denoland/deno/pull/18395 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/denoland/deno/releases/tag/v1.32.1 Patch, Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)