Denoland Deno vulnerabilities

CVE-2024-27931 [MEDIUM] CWE-20 CVE-2024-27931: Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validat Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to

CVE-2023-33966 [CRITICAL] CWE-269 CVE-2023-33966: Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound H Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. User

CVE-2023-28445 [CRITICAL] CWE-125 CVE-2023-28445: Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBu Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy us

CVE-2023-28446 [HIGH] CWE-150 CVE-2023-28446: Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with any desired text. This works with any command on the respective platform, gi

CVE-2023-22499 [HIGH] CWE-362 CVE-2023-22499: Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded pr Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program could clear the terminal screen after permission prompt was shown and write

CVE-2022-24783 [CRITICAL] CWE-269 CVE-2022-24783: Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.2 Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vul

CVE-2021-32619 [CRITICAL] CWE-285 CVE-2021-32619: Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. The vulnerability has been patched in Deno rel