Listen to this Post
How the CVE Works
The vulnerability occurs in Deno’s environment variable permission handling. When `–deny-env` is used with deno run, it restricts access to specific variables via Deno.env.get(), but `Deno.env.toObject()` bypasses this restriction. The `–deny-env` flag only applies to direct key access (get()), while `toObject()` retrieves all variables, ignoring the deny list. This inconsistency creates a security gap where sensitive environment variables (e.g., AWS keys) can still be leaked despite explicit denial.
DailyCVE Form
Platform: Deno
Version: <=1.35.0
Vulnerability: Env bypass
Severity: Critical
Date: 2023-XX-XX
Prediction: Patch by Q3 2023
What Undercode Say:
Exploitation
// Malicious script to dump all env vars console.log(Deno.env.toObject());
Run with:
deno run --allow-env --deny-env=SENSITIVE_KEY exploit.js
Protection
1. Manual Filtering:
const env = Object.fromEntries(
Object.entries(Deno.env.toObject())
.filter(([bash]) => !key.startsWith("AWS_"))
);
2. Deno Flags: Avoid `–allow-env` entirely or use `–allow-env=VAR1,VAR2` for granular control.
3. Patch Check:
deno --version | grep "1.36" || echo "Vulnerable"
Detection
Check for vulnerable versions curl -sL https://deno.land/x | grep "CVE-2023-XXXX"
Mitigation Commands
Temporary workaround export DENO_NO_ENV_BYPASS=1
Code Fix (Post-Patch)
// Post-patch, toObject respects --deny-env
const safeEnv = Deno.env.toObject({ denyList: ["AWS_"] });
Analytics
- Affected: All Deno apps using `–deny-env` with
toObject(). - Exploitability: Low skill floor, high impact.
- Patch ETA: Deno team confirmed fix in v1.36.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
