CVE-2024-52793

Name of the Vulnerable Software and Affected Versions Deno Standard Library versions prior to 1.0.11

Description The issue affects the Deno Standard Library, specifically the http/file-server module's serveDir function when used with the showDirListing: true option. This setup is vulnerable to cross-site scripting attacks when an attacker can control file names in the source directory, particularly on systems that use POSIX file names. Although exploitation might be possible on other systems, it is less straightforward due to differences in file name support, such as the lack of support for <> in Windows file names.

Recommendations For Deno Standard Library versions prior to 1.0.11, update to version 1.0.11 to resolve the issue. As a temporary workaround, consider setting showDirListing to false in the serveDir function to minimize the risk of exploitation. Restrict access to the http/file-server module, especially for users who can control file names in the source directory, until the update is applied.