CVE-2024-27936

Name of the Vulnerable Software and Affected Versions Deno versions 1.32.1 through 1.40.x

Description A maliciously crafted permission request can show a spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno strips any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. This allows a malicious Deno program to display the wrong file path or program name to the user.

Recommendations For Deno versions 1.32.1 through 1.40.x, update to version 1.41.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of ANSI escape sequences in permission requests until a patch is applied. Restrict access to sensitive files and programs to minimize the risk of exploitation. Avoid using broken ANSI codes in permission prompts to prevent spoofing.