CVE-2024-32477

Name of the Vulnerable Software and Affected Versions Deno versions prior to 1.42.2

Description The issue is caused by errors in synchronization when using a shared resource in the Deno runtime environment for JavaScript and TypeScript. Exploitation of this issue may allow an attacker to disclose protected information. By using ANSI escape sequences and a race between libc::tcflush(0, libc::TCIFLUSH) and reading standard input, it's possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel to send and get data. For example the 033[6n sequence requests the current cursor position. These sequences allow appending data to the standard input of Deno. This allows an attacker to bypass Deno permission policy.

Recommendations For Deno versions prior to 1.42.2, update to version 1.42.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of ANSI escape sequences in the terminal emulator to minimize the risk of exploitation. Avoid using the libc::tcflush(0, libc::TCIFLUSH) function in conjunction with reading standard input until the issue is resolved.