Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jMjV4LWNtOXgtcXFneM4AAyRG

Deno improperly handles resizable ArrayBuffer

Impact

Resizable ArrayBuffers passed to asynchronous native functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write.

It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0.

Deno Deploy users are not affected.

Patches

The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. A future version of Deno will re-enable resizable ArrayBuffers with a proper fix.

Workarounds

Upgrade to Deno 1.32.1, or run with --v8-flags=--no-harmony-rab-gsab to disable resizable ArrayBuffers.

Permalink: https://github.com/advisories/GHSA-c25x-cm9x-qqgx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jMjV4LWNtOXgtcXFneM4AAyRG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: over 1 year ago


CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-c25x-cm9x-qqgx, CVE-2023-28445
References: Repository: https://github.com/denoland/deno
Blast Radius: 25.5

Affected Packages

cargo:deno_runtime
Dependent packages: 24
Dependent repositories: 36
Downloads: 277,228 total
Affected Version Ranges: = 0.102.0
Fixed in: 0.103.0
All affected versions:
All unaffected versions: 0.1.0, 0.3.0, 0.4.0, 0.5.0, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.15.1, 0.16.0, 0.17.0, 0.18.0, 0.18.1, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.22.1, 0.22.2, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0, 0.42.0, 0.43.0, 0.44.0, 0.45.0, 0.46.0, 0.47.0, 0.48.0, 0.49.0, 0.50.0, 0.51.0, 0.52.0, 0.53.0, 0.54.0, 0.55.0, 0.56.0, 0.57.0, 0.58.0, 0.59.0, 0.60.0, 0.61.0, 0.62.0, 0.63.0, 0.64.0, 0.65.0, 0.66.0, 0.67.0, 0.68.0, 0.69.0, 0.70.0, 0.71.0, 0.72.0, 0.73.0, 0.74.0, 0.75.0, 0.76.0, 0.77.0, 0.78.0, 0.79.0, 0.80.0, 0.81.0, 0.82.0, 0.83.0, 0.84.0, 0.85.0, 0.86.0, 0.87.0, 0.88.0, 0.89.0, 0.90.0, 0.91.0, 0.92.0, 0.93.0, 0.94.0, 0.95.0, 0.96.0, 0.97.0, 0.98.0, 0.99.0, 0.100.0, 0.101.0, 0.102.0, 0.103.0, 0.104.0, 0.105.0, 0.106.0, 0.107.0, 0.108.0, 0.109.0, 0.110.0, 0.111.0, 0.112.0, 0.113.0, 0.114.0, 0.115.0, 0.116.0, 0.117.0, 0.118.0, 0.119.0, 0.120.0, 0.121.0, 0.122.0, 0.123.0, 0.124.0, 0.125.0, 0.126.0, 0.127.0, 0.128.0, 0.129.0, 0.130.0, 0.131.0, 0.132.0, 0.133.0, 0.134.0, 0.135.0, 0.136.0, 0.137.0, 0.138.0, 0.139.0, 0.140.0, 0.141.0, 0.142.0, 0.143.0, 0.144.0, 0.145.0, 0.146.0, 0.147.0, 0.148.0, 0.149.0, 0.150.0, 0.151.0, 0.152.0, 0.153.0, 0.154.0, 0.155.0, 0.156.0, 0.157.0, 0.158.0, 0.159.0, 0.160.0, 0.161.0, 0.162.0, 0.163.0, 0.164.0, 0.165.0, 0.166.0, 0.167.0, 0.168.0, 0.169.0, 0.170.0, 0.171.0, 0.172.0, 0.173.0, 0.174.0, 0.175.0, 0.176.0, 0.177.0, 0.178.0, 0.179.0, 0.180.0, 0.181.0, 0.182.0, 0.183.0, 0.184.0, 0.185.0, 0.186.0, 0.187.0
cargo:serde_v8
Dependent packages: 11
Dependent repositories: 356
Downloads: 1,821,952 total
Affected Version Ranges: = 0.87.0
Fixed in: 0.88.0
All affected versions:
All unaffected versions: 0.0.0, 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.7.1, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0, 0.41.0, 0.42.0, 0.43.0, 0.44.0, 0.45.0, 0.46.0, 0.47.0, 0.48.0, 0.49.0, 0.50.0, 0.51.0, 0.52.0, 0.53.0, 0.54.0, 0.55.0, 0.56.0, 0.57.0, 0.58.0, 0.59.0, 0.60.0, 0.61.0, 0.62.0, 0.63.0, 0.64.0, 0.65.0, 0.66.0, 0.67.0, 0.68.0, 0.69.0, 0.70.0, 0.71.0, 0.72.0, 0.73.0, 0.74.0, 0.75.0, 0.76.0, 0.77.0, 0.78.0, 0.79.0, 0.80.0, 0.81.0, 0.82.0, 0.83.0, 0.84.0, 0.85.0, 0.86.0, 0.87.0, 0.88.0, 0.89.0, 0.90.0, 0.91.0, 0.92.0, 0.93.0, 0.94.0, 0.95.0, 0.96.0, 0.97.0, 0.98.0, 0.99.0, 0.100.0, 0.101.0, 0.102.0, 0.103.0, 0.104.0, 0.105.0, 0.106.0, 0.107.0, 0.108.0, 0.109.0, 0.110.0, 0.111.0, 0.112.0, 0.113.0, 0.114.0, 0.115.0, 0.116.0, 0.117.0, 0.118.0, 0.119.0, 0.120.0, 0.121.0, 0.123.0, 0.124.0, 0.125.0, 0.126.0, 0.127.0, 0.128.0, 0.129.0, 0.130.0, 0.131.0, 0.132.0, 0.133.0, 0.134.0, 0.135.0, 0.136.0, 0.137.0, 0.138.0, 0.139.0, 0.140.0, 0.141.0, 0.142.0, 0.143.0, 0.144.0, 0.145.0, 0.146.0, 0.147.0, 0.148.0, 0.149.0, 0.150.0, 0.151.0, 0.152.0, 0.153.0, 0.154.0, 0.155.0, 0.156.0, 0.157.0, 0.158.0, 0.160.0, 0.161.0, 0.162.0, 0.163.0, 0.164.0, 0.165.0, 0.166.0, 0.167.0, 0.168.0, 0.169.0, 0.170.0, 0.171.0, 0.172.0, 0.173.0, 0.174.0, 0.175.0, 0.176.0, 0.177.0, 0.178.0, 0.179.0, 0.180.0, 0.181.0, 0.182.0, 0.183.0, 0.184.0, 0.185.0, 0.186.0, 0.187.0, 0.188.0, 0.189.0, 0.190.0, 0.191.0, 0.192.0, 0.193.0, 0.194.0, 0.195.0, 0.196.0, 0.197.0, 0.198.0, 0.199.0, 0.200.0, 0.201.0, 0.202.0, 0.203.0, 0.204.0, 0.205.0, 0.206.0, 0.207.0, 0.208.0, 0.209.0, 0.210.0, 0.211.0, 0.212.0, 0.213.0, 0.214.0, 0.215.0, 0.216.0, 0.217.0, 0.218.0, 0.219.0, 0.220.0, 0.221.0, 0.222.0, 0.223.0, 0.223.1, 0.224.0, 0.225.0, 0.226.0, 0.227.0, 0.228.0, 0.229.0
cargo:Deno
Dependent packages: 5
Dependent repositories: 1
Downloads: 320,837 total
Affected Version Ranges: = 1.32.0
Fixed in: 1.32.1
All affected versions:
All unaffected versions: 0.0.1, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.29.0, 0.30.0, 0.30.1, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.37.1, 0.38.0, 0.40.0, 0.41.0, 0.42.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.3, 1.4.0, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.7.5, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.11.4, 1.11.5, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.18.0, 1.18.1, 1.18.2, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.20.1, 1.20.2, 1.20.3, 1.20.4, 1.20.5, 1.20.6, 1.21.0, 1.21.1, 1.21.2, 1.21.3, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.25.0, 1.25.1, 1.25.2, 1.25.3, 1.25.4, 1.26.0, 1.26.1, 1.26.2, 1.27.0, 1.27.1, 1.27.2, 1.28.0, 1.28.1, 1.28.2, 1.28.3, 1.29.0, 1.29.1, 1.29.2, 1.29.3, 1.29.4, 1.30.0, 1.30.1, 1.30.2, 1.30.3, 1.31.0, 1.31.1, 1.31.2, 1.31.3, 1.32.0, 1.32.1, 1.32.2, 1.32.3, 1.32.4, 1.32.5, 1.33.0, 1.33.1, 1.33.2, 1.33.3, 1.33.4, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.35.0, 1.35.1, 1.35.2, 1.35.3, 1.36.0, 1.36.1, 1.36.2, 1.36.3, 1.36.4, 1.37.0, 1.37.1, 1.37.2, 1.38.0, 1.38.1, 1.38.2, 1.38.3, 1.38.4, 1.38.5, 1.39.0, 1.39.1, 1.39.2, 1.39.3, 1.39.4, 1.40.0, 1.40.1, 1.40.2, 1.40.3, 1.40.4, 1.40.5, 1.41.0, 1.41.1, 1.41.2, 1.41.3, 1.42.0, 1.42.1, 1.42.2, 1.42.3, 1.42.4, 1.43.0, 1.43.1, 1.43.2, 1.43.3, 1.43.4, 1.43.5, 1.43.6, 1.44.0, 1.44.1, 1.44.2, 1.44.3, 1.44.4, 1.45.0, 1.45.1, 1.45.2, 1.45.3, 1.45.4, 1.45.5, 1.46.0, 1.46.1, 1.46.2, 1.46.3, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0