CVE-2023-22499Race Condition in Deno

CWE-362Race Condition3 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 43.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
DenoDenoland Deno
Timeline
PublishedJan 17
Latest updateJan 20

Description

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program could clear the terminal screen after permission prompt was shown and write a generic message. This situation impacts users who use Web Worker API and relied on interactive permission prompt. The reproduction is very timing

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages3 packages

NVDdeno/deno1.9.01.29.3
crates.iodeno/deno1.9.01.29.3
CVEListV5denoland/deno>= 1.9, < 1.29.3

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
Deno is vulnerable to race condition via interactive permission prompt spoofing2023-01-20
GHSA
Deno is vulnerable to race condition via interactive permission prompt spoofing2023-01-20