Deno Sandbox Vulnerability Allows Unintended File Access

CVE-2024-34346

What is CVE-2024-34346?

The Deno Runtime, designed with secure defaults for JavaScript, TypeScript, and WebAssembly execution, presents a potential vulnerability that exposes users to unintended file access behaviors. Specifically, the sandbox environment may be compromised by permitting read and write operations on sensitive files across various operating systems, such as Unix and Windows. For instance, interactions with files like /proc/self/environ can unintentionally replicate permissions that typically require explicit runtime flags like --allow-env, while file writes to /proc/self/mem might circumvent the intended security model, behaving as if full filesystem access is granted. This oversight necessitates that users granting filesystem permissions with --allow-read or --allow-write exercise caution, as they might inadvertently extend their privileges. Notably, Deno version 1.43 and later enforce specific conditions requiring explicit --allow-all permissions for accessing sensitive directories like /etc, /dev, and paths in /proc and /sys on Linux, as well as any path initiating with \ on Windows. The documentation failed to adequately convey these risks, highlighting the need for improved guidance to maintain robust security within the Deno sandbox.

References