Deno improperly handles resizable ArrayBuffer
CVE-2023-28445

10CRITICAL

Key Information:

Vendor

Denoland

Status
Deno
Vendor
CVE Published:
24 March 2023

What is CVE-2023-28445?

A vulnerability in the Deno Runtime, specifically affecting version 1.32.0, arises from the use of resizable ArrayBuffers in asynchronous functions. When these ArrayBuffers are shrunk during an asynchronous operation, it can lead to out-of-bounds read/write scenarios, posing potential risks to application integrity. Users of Deno Deploy remain unaffected by this issue. In response, Deno version 1.32.1 disables the problematic feature as a temporary measure, while version 1.32.2 aims to reintroduce resizable ArrayBuffers with a proper fix. For urgent implementations, users can run Deno with the flag '--v8-flags=--no-harmony-rab-gsab' to mitigate risks.

Affected Version(s)

deno = 1.32.0

References

https://github.com/denoland/deno/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/denoland/deno/pull/18395
x_refsource_MISC
https://github.com/denoland/deno/releases/tag/v1.32.1
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.