Description
Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with any desired text. This works with any command on the respective platform, giving the program the full ability to choose what program they wanted to run. This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers). This issue has been patched in version 1.31.2.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/denoland/deno/security/advisories/GHSA-vq67-rp93-65qf
Vendor Advisory x_refsource_misc
https://github.com/denoland/deno/blob/7d13d65468c37022f003bb680dfbddd07ea72173/runtime/js/40_process.js#L175
Patch, Release Notes x_refsource_misc
https://github.com/denoland/deno/releases/tag/v1.31.2
Scores
CVSS v3
8.8
EPSS
0.0158
EPSS Percentile
81.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-150
Status
published
Products (3)
crates.io/deno
1.8.0 - 1.31.2crates.io
crates.io/deno_runtime
1.8.0 - 1.31.2crates.io
deno/deno
< 1.31.2
Published
Mar 24, 2023
Tracked Since
Feb 18, 2026