Listen to this Post
How the CVE Works:
This vulnerability occurs due to incorrect permission flag precedence in Deno’s runtime. When conflicting `–allow-` and `–deny-` flags are passed (e.g., --allow-read --deny-read), the `deny` rule should override allow. However, due to a fast-exit logic flaw (22894), the runtime incorrectly grants permissions. The issue affects all global unary permission flags, allowing unintended access despite explicit denials.
DailyCVE Form:
Platform: Deno
Version: <=1.35.0
Vulnerability: Permission bypass
Severity: Medium
Date: 2023-XX-XX
Prediction: Patch by Q3 2023
What Undercode Say:
Analytics:
- Affects: Deno runtime misconfiguration.
- Exploitability: Low (requires nonsensical flags).
- Mitigation: Manual flag validation.
Exploit Command:
deno run --allow-net --deny-net malicious.ts
Protection Code:
// Validate flags before execution
if (Deno.permissions.query({ name: "read" }).state === "granted") {
throw new Error("Permission conflict detected");
}
Patch Verification:
deno --version | grep "1.36.0"
Log Analysis:
grep "Permission denied" deno_logs.txt
Workaround:
Use only --deny- flags exclusively. deno run --deny-read app.ts
Debugging:
console.log(Deno.permissions.query({ name: "read" }));
Reference Fix:
- if (allow) return true; + if (deny) return false;
Impact Check:
deno run --allow-env --deny-env test.ts
Automated Test:
Deno.test("Flag precedence", () => {
assertThrows(() => Deno.readFile("/etc/passwd"));
});
Monitoring:
watch -n 1 "deno run --allow-read --deny-read probe.ts"
Cleanup:
pkill -f "deno --allow- --deny-"
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
