CVE-2023-33966: Missing "--allow-net" permission check for built-in Node modules

May 31, 2023

Outbound HTTP requests made using the built-in “node:http” or “node:https” modules are incorrectly not checked against the network permission allow list (--allow-net). Dependencies relying on these built-in modules are subject to the vulnerability too.

Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected.

References

github.com/advisories/GHSA-vc52-gwm3-8v2f
github.com/denoland/deno
github.com/denoland/deno/releases/tag/v1.34.1
github.com/denoland/deno/security/advisories/GHSA-vc52-gwm3-8v2f
nvd.nist.gov/vuln/detail/CVE-2023-33966

Detect and mitigate CVE-2023-33966 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →