Interactive permission prompt spoofing in Deno
CVE-2023-22499

7.5HIGH

Key Information:

Vendor: Denoland
Status: Deno
Vendor: CVE Published:; 17 January 2023

What is CVE-2023-22499?

The Deno Runtime, a popular JavaScript and TypeScript execution environment, has a vulnerability that allows malicious programs to spoof interactive permission prompts. This issue arises when programs utilize the Web Worker API, where they can manipulate the prompt displayed to users. By clearing the terminal screen after presenting a permission request and displaying a misleading message, attackers can deceive users into believing they are needing to confirm a harmless action. This vulnerability is particularly challenging to reproduce consistently, as it is time-sensitive and may not manifest in every instance. However, it poses a significant risk to users relying on interactive permission prompts. Users are strongly encouraged to upgrade to Deno v1.29.3 or higher to mitigate this risk. For those unable to update, running Deno with the --no-prompt flag can help disable the interactive prompts.

Affected Version(s)

deno >= 1.9, < 1.29.3

References

https://github.com/denoland/deno/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/denoland/deno/pull/17392

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 17, 2023
Vulnerability Reserved
Dec 29, 2022

JSON

Denoland

What is CVE-2023-22499?

Affected Version(s)

References

CVSS V3.1

Timeline