Vulnerability Description
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. As a workaround, run with `--v8-flags=--no-harmony-rab-gsab` to disable resizable ArrayBuffers.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Deno | Deno | 1.32.0 |
| Deno | Deno Runtime | 0.102.0 |
| Deno | Serde V8 | 0.87.0 |
Related Weaknesses (CWE)
References
- https://github.com/denoland/deno/pull/18395PatchVendor Advisory
- https://github.com/denoland/deno/releases/tag/v1.32.1PatchRelease Notes
- https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgxMitigationVendor Advisory
- https://github.com/denoland/deno/pull/18395PatchVendor Advisory
- https://github.com/denoland/deno/releases/tag/v1.32.1PatchRelease Notes
- https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgxMitigationVendor Advisory
FAQ
What is CVE-2023-28445?
CVE-2023-28445 is a vulnerability with a CVSS score of 9.9 (CRITICAL). Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could resul...
How severe is CVE-2023-28445?
CVE-2023-28445 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-28445?
Check the references section above for vendor advisories and patch information. Affected products include: Deno Deno, Deno Deno Runtime, Deno Serde V8.