Back to KEVs

CVE-2023-28445

Deno improperly handles resizable ArrayBuffer

Basic Information

CVE State
PUBLISHED
Reserved Date
March 15, 2023
Published Date
March 23, 2023
Last Updated
February 20, 2025
Vendor
denoland
Product
deno
Description
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. As a workaround, run with `--v8-flags=--no-harmony-rab-gsab` to disable resizable ArrayBuffers.

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC Information

Exploitation
none
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2023-03-23 23:23:27 UTC) Source

References

https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx https://github.com/denoland/deno/pull/18395 https://github.com/denoland/deno/releases/tag/v1.32.1

Known Exploited Vulnerability Information

Source Added Date
CVE 2023-03-23 23:23:27 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel