CVE-2024-32477

HIGH

Deno < 1.42.2 - Permission Bypass via ANSI Escape Sequence Injection

Title source: llm

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. By using ANSI escape sequences and a race between `libc::tcflush(0, libc::TCIFLUSH)` and reading standard input, it's possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel to send and get data. For example the `\033[6n` sequence requests the current cursor position. These sequences allow us to append data to the standard input of Deno. This vulnerability allows an attacker to bypass Deno permission policy. This vulnerability is fixed in 1.42.2.

References (1)

Core 1

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/denoland/deno/security/advisories/GHSA-95cj-3hr2-7j5j

Scores

CVSS v3 7.7

EPSS 0.0034

EPSS Percentile 25.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-362 CWE-78

Status published

Products (1)

deno/deno < 1.42.2

Published Apr 18, 2024

Tracked Since Feb 18, 2026