CVE-2024-32477

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-32477
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32477.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-32477
Aliases
  • GHSA-95cj-3hr2-7j5j
Downstream
Published
2024-04-18T19:58:25.993Z
Modified
2026-04-10T05:12:13.675826Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Race condition when flushing input stream leads to permission prompt bypass
Details

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. By using ANSI escape sequences and a race between libc::tcflush(0, libc::TCIFLUSH) and reading standard input, it's possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel to send and get data. For example the \033[6n sequence requests the current cursor position. These sequences allow us to append data to the standard input of Deno. This vulnerability allows an attacker to bypass Deno permission policy. This vulnerability is fixed in 1.42.2.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32477.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-362",
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/denoland/deno

Affected ranges

Type
GIT
Repo
https://github.com/denoland/deno
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
04c0a4cbf7c00811d3ace3184c1cb8597a0e88f1

Affected versions

std/0.*
std/0.34.0
std/0.35.0
std/0.36.0
std/0.37.0
std/0.38.0
std/0.39.0
std/0.40.0
std/0.41.0
std/0.42.0
std/0.50.0
std/0.51.0
std/0.52.0
std/0.53.0
std/0.54.0
std/0.55.0
std/0.56.0
std/0.57.0
std/0.58.0
std/0.59.0
std/0.60.0
std/0.61.0
std/0.62.0
std/0.63.0
std/0.64.0
std/0.65.0
std/0.66.0
std/0.67.0
std/0.68.0
std/0.69.0
std/0.70.0
std/0.71.0
std/0.72.0
std/0.73.0
std/0.74.0
std/0.75.0
std/0.76.0
std/0.77.0
std/0.78.0
std/0.79.0
std/0.80.0
std/0.81.0
std/0.82.0
std/0.83.0
std/0.84.0
std/0.85.0
v0.*
v0.0.1
v0.0.3
v0.1.0
v0.1.1
v0.1.10
v0.1.11
v0.1.12
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.2.0
v0.2.1
v0.2.10
v0.2.11
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.20.0
v0.21.0
v0.22.0
v0.23.0
v0.24.0
v0.25.0
v0.26.0
v0.27.0
v0.28.0
v0.28.1
v0.29.0
v0.3.0
v0.3.1
v0.3.10
v0.3.11
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.30.0
v0.30.1
v0.31.0
v0.32.0
v0.33.0
v0.34.0
v0.35.0
v0.36.0
v0.37.0
v0.37.1
v0.38.0
v0.39.0
v0.4.0
v0.40.0
v0.41.0
v0.42.0
v0.5.0
v0.6.0
v0.7.0
v0.8.0
v0.9.0
v1.*
v1.0.0
v1.0.0-rc1
v1.0.0-rc2
v1.0.0-rc3
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.10.0
v1.10.1
v1.11.0
v1.11.1
v1.11.2
v1.12.0
v1.12.1
v1.12.2
v1.13.0
v1.13.1
v1.13.2
v1.14.0
v1.14.1
v1.14.2
v1.15.0
v1.15.1
v1.15.2
v1.15.3
v1.16.0
v1.16.1
v1.16.2
v1.17.0
v1.18.0
v1.19.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.20.0
v1.20.1
v1.21.0
v1.22.0
v1.23.0
v1.24.0
v1.25.0
v1.26.0
v1.27.0
v1.28.0
v1.29.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.30.0
v1.31.0
v1.32.0
v1.33.0
v1.34.0
v1.35.0
v1.36.0
v1.37.0
v1.38.0
v1.39.0
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.40.0
v1.41.0
v1.42.0
v1.42.1
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.8.0
v1.8.1
v1.8.2
v1.9.0
v1.9.1
v1.9.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32477.json"