CVE-2023-33966 — HIGH (8.6)

Vulnerability Description

Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. This problem has been patched in Deno v1.34.1 and deno_runtime 0.114.1 and all users are recommended to update to this version. No workaround is available for this issue.

CVSS Score

8.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Deno	Deno	1.34.0
Deno	Deno Runtime	0.114.0

Related Weaknesses (CWE)

CWE-269 CWE-276

References

https://github.com/denoland/deno/releases/tag/v1.34.1Release Notes
https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2fVendor Advisory
https://github.com/denoland/deno/releases/tag/v1.34.1Release Notes
https://github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2fVendor Advisory

FAQ

What is CVE-2023-33966?

CVE-2023-33966 is a vulnerability with a CVSS score of 8.6 (HIGH). Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked...

How severe is CVE-2023-33966?

CVE-2023-33966 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-33966?

Check the references section above for vendor advisories and patch information. Affected products include: Deno Deno, Deno Deno Runtime.