CVE-2023-28445: Deno improperly handles resizable ArrayBuffer

March 23, 2023 (updated May 1, 2023)

Resizable ArrayBuffers passed to asynchronous native functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write.

It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0.

Deno Deploy users are not affected.

References

github.com/advisories/GHSA-c25x-cm9x-qqgx
github.com/denoland/deno
github.com/denoland/deno/pull/18395
github.com/denoland/deno/pull/18452
github.com/denoland/deno/releases/tag/v1.32.1
github.com/denoland/deno/security/advisories/GHSA-c25x-cm9x-qqgx
nvd.nist.gov/vuln/detail/CVE-2023-28445

Detect and mitigate CVE-2023-28445 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →