CVE-2024-32477OS Command Injection in Deno

CWE-78OS Command InjectionCWE-362Race Condition1 documents1 sources
Severity
7.4HIGHNVD
EPSS
0.2%
top 64.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Denoland DenoDeno
Timeline
PublishedApr 18

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. By using ANSI escape sequences and a race between `libc::tcflush(0, libc::TCIFLUSH)` and reading standard input, it's possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel t

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages2 packages

NVDdeno/deno< 1.42.2
CVEListV5denoland/deno< 1.42.2