crates.io package
deno
pkg:cargo/deno
Vulnerabilities (28)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-33966 | — | >= 1.34.0, < 1.34.1 | 1.34.1 | May 31, 2023 | Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying | ||
| CVE-2023-28446 | — | >= 1.8.0, < 1.31.2 | 1.31.2 | Mar 24, 2023 | Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with an | ||
| CVE-2023-28445 | — | >= 1.32.0, < 1.32.1 | 1.32.1 | Mar 23, 2023 | Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in | ||
| CVE-2023-26103 | — | >= 1.12.0, < 1.31.0 | 1.31.0 | Feb 25, 2023 | Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade | ||
| CVE-2023-22499 | — | >= 1.9.0, < 1.29.3 | 1.29.3 | Jan 17, 2023 | Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program cou | ||
| CVE-2021-41641 | — | < 1.16.0 | 1.16.0 | Jun 12, 2022 | Deno <=1.14.0 file sandbox does not handle symbolic links correctly. When running Deno with specific write access, the Deno.symlink method can be used to gain access to any directory. | ||
| CVE-2022-24783 | — | >= 1.18.0, < 1.20.3 | 1.20.3 | Mar 25, 2022 | Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell c | ||
| CVE-2021-32619 | — | >= 1.5.0, < 1.10.2 | 1.10.2 | May 28, 2021 | Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically i |
- CVE-2023-33966May 31, 2023affected >= 1.34.0, < 1.34.1fixed 1.34.1
Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying
- CVE-2023-28446Mar 24, 2023affected >= 1.8.0, < 1.31.2fixed 1.31.2
Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with an
- CVE-2023-28445Mar 23, 2023affected >= 1.32.0, < 1.32.1fixed 1.32.1
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in
- CVE-2023-26103Feb 25, 2023affected >= 1.12.0, < 1.31.0fixed 1.31.0
Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade
- CVE-2023-22499Jan 17, 2023affected >= 1.9.0, < 1.29.3fixed 1.29.3
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program cou
- CVE-2021-41641Jun 12, 2022affected < 1.16.0fixed 1.16.0
Deno <=1.14.0 file sandbox does not handle symbolic links correctly. When running Deno with specific write access, the Deno.symlink method can be used to gain access to any directory.
- CVE-2022-24783Mar 25, 2022affected >= 1.18.0, < 1.20.3fixed 1.20.3
Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell c
- CVE-2021-32619May 28, 2021affected >= 1.5.0, < 1.10.2fixed 1.10.2
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically i
Page 2 of 2