CVE-2021-32619

Name of the Vulnerable Software and Affected Versions Deno versions 1.5.0 through 1.10.1

Description The issue concerns modules dynamically imported through import() or new Worker that might bypass network and file system permission checks when statically importing other modules. An attacker in control of a module in a program's module graph could initiate GET requests to arbitrary URLs and possibly read the contents of these resources, or check for existence of arbitrary paths on the file system and possibly read the contents of these files. This vulnerability was not present in releases prior to 1.5.0 and was not abused in the wild, as indicated by the lack of reports and the default behavior of Deno printing a "Download" message when remote imports are downloaded.

Recommendations For Deno versions 1.5.0 through 1.10.1, upgrade to Deno release 1.10.2 by running the deno upgrade command to patch the vulnerability. At the moment, there is no workaround for this issue other than upgrading to the patched version.