GHSA-c25x-cm9x-qqgx

Source
https://github.com/advisories/GHSA-c25x-cm9x-qqgx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-c25x-cm9x-qqgx/GHSA-c25x-cm9x-qqgx.json
Aliases
Published
2023-03-23T23:13:25Z
Modified
2023-11-08T04:12:11.261571Z
Details

Impact

Resizable ArrayBuffers passed to asynchronous native functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write.

It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0.

Deno Deploy users are not affected.

Patches

The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. A future version of Deno will re-enable resizable ArrayBuffers with a proper fix.

Workarounds

Upgrade to Deno 1.32.1, or run with --v8-flags=--no-harmony-rab-gsab to disable resizable ArrayBuffers.

References

Affected packages

crates.io / Deno

Package

Name
Deno

Affected ranges

Type
SEMVER
Events
Introduced
1.32.0
Fixed
1.32.1

Affected versions

1.*

1.32.0

crates.io / serde_v8

Package

Name
serde_v8

Affected ranges

Type
SEMVER
Events
Introduced
0.87.0
Fixed
0.88.0

Affected versions

0.*

0.87.0

crates.io / deno_runtime

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.102.0
Fixed
0.103.0

Affected versions

0.*

0.102.0