*const c_void / ExternalPointer unsoundness leading to use-after-free
Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe *const c_void and ExternalPointer leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe *const c_void and ExternalPointer leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable for both *const c_void and ExternalPointer implementations. Version 1.40.3 fixes this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
denocrates.io | >= 1.36.2, < 1.40.3 | 1.40.3 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/advisories/GHSA-3j27-563v-28wfghsaADVISORY
- github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.