CVE-2023-22499

Name of the Vulnerable Software and Affected Versions Deno versions prior to 1.29.3

Description The issue is related to errors in synchronization when using a shared resource in Deno, a runtime for JavaScript and TypeScript. This could allow a remote attacker to execute arbitrary code. Multi-threaded programs can spoof interactive permission prompts, potentially tricking users into allowing unauthorized actions. The problem impacts users who rely on interactive permission prompts, especially those using the Web Worker API. The exploitation is timing-sensitive and cannot be reliably reproduced. This issue cannot be exploited on systems without an interactive prompt, such as headless servers.

Recommendations For Deno versions prior to 1.29.3, update to version 1.29.3 to resolve the issue. As a temporary workaround for users unable to upgrade, run Deno with the --no-prompt flag to disable interactive permission prompts.