CVE-2024-27933

Name of the Vulnerable Software and Affected Versions Deno version 1.39.0

Description The issue arises from the use of raw file descriptors in op node ipc pipe(), leading to the premature close of arbitrary file descriptors. This allows standard input to be closed and re-opened as a different resource, resulting in a permission prompt bypass. An attacker controlling the code executed inside a Deno runtime can exploit this to obtain arbitrary code execution on the host machine, regardless of permissions. The vulnerability is known to be exploitable, with a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions and abusing the lack of filesystem permission checks in the Cache API. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs.

Recommendations To resolve the issue, update to Deno version 1.39.1, which fixes the bug. For version 1.39.0, as a temporary workaround, consider restricting the use of the op node ipc pipe() function until a patch is available. Additionally, be cautious when using the Cache API, as it lacks filesystem permission checks, which can be abused in conjunction with this vulnerability.