CVE-2023-28445

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-28445

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28445.json

Aliases

GHSA-c25x-cm9x-qqgx

Published

2023-03-24T00:15:15Z

Modified

2023-11-29T10:03:21.137644Z

Details

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. As a workaround, run with --v8-flags=--no-harmony-rab-gsab to disable resizable ArrayBuffers.

References

Affected packages

Git / github.com/denoland/deno_std

Affected ranges

Type: GIT
Repo: https://github.com/denoland/deno_std
Events: Introduced

0The exact introduced commit is unknown

Last affected

6a3446d0cf1875384f98dfda5154a5a022f74f53

Last affected

95565a6e6e840a9cbbe484c7a9c70dc3c7627ab1

Affected versions

0.*

0.85.0

0.86.0

0.87.0

Other

20190516

20190520

v0.*

v0.1.11

v0.1.12

v0.10.0

v0.11.0

v0.12.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.19.0

v0.2.0

v0.2.1

v0.2.10

v0.2.11

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.2.8

v0.2.9

v0.20.0

v0.3.0

v0.3.1

v0.3.10

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.8

v0.4.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.9.0