Sandbox bypass leading to arbitrary code execution in Deno
CVE-2022-24783

10CRITICAL

Key Information:

Vendor: Denoland
Status: Deno
Vendor: CVE Published:; 25 March 2022

What is CVE-2022-24783?

Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. All users are recommended to upgrade to 1.20.3 immediately.

Affected Version(s)

deno >= 1.18.0, < 1.20.3

References

https://github.com/denoland/deno/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2022
Vulnerability Reserved
Feb 10, 2022

JSON

Denoland

What is CVE-2022-24783?

Affected Version(s)

References

CVSS V3.1

Timeline