CVE-2024-34346

Name of the Vulnerable Software and Affected Versions Deno versions prior to 1.43

Description The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading /proc/self/environ may provide access equivalent to --allow-env, and writing /proc/self/mem may provide access equivalent to --allow-all. Users who grant read and write access to the entire filesystem may not realize that these accesses to these files may have additional, unintended consequences.

Recommendations For Deno versions prior to 1.43, consider adding explicit deny flags to restrict access to sensitive files, such as --deny-read=/dev, --deny-read=/sys, --deny-read=/proc, --deny-read=/etc, --deny-write=/dev, --deny-write=/sys, --deny-write=/proc, and --deny-write=/etc. Note that symlinks in allowed locations may defeat this protection in earlier versions of Deno. For Deno 1.43 and above, ensure explicit --allow-all access is required to read or write /etc, /dev on Unix platforms, as well as /proc and /sys on Linux platforms, and any path starting with `` on Windows.