CVE-2023-28445

moderate-risk
Published 2023-03-24

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. Deno 1.32.2 will re-enable resizable ArrayBuffers with a proper fix. As a workaround, run with `--v8-flags=--no-harmony-rab-gsab` to disable resizable ArrayBuffers.

Do I need to act?

-
0.72% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 99b5eaa2f4f81b0f6fb46a388808a0d8f40b91e1
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (3)

Deno Runtime
Serde V8

Affected Vendors

Deno

References (6)

Patch https://github.com/denoland/deno/pull/18395
Patch https://github.com/denoland/deno/releases/tag/v1.32.1
Mitigation https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx
Patch https://github.com/denoland/deno/pull/18395
Patch https://github.com/denoland/deno/releases/tag/v1.32.1
Mitigation https://github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx
44
/ 100
moderate-risk
Severity 33/34 · Critical
Exploitability 2/34 · Minimal
Exposure 9/34 · Low