GHSA-4mw5-2636-4535: op_panic in the base runtime can force a panic in the runtime's containing thread

December 4, 2024

Affected versions use deno_core releases that expose Deno.core.ops.op_panic to the JS runtime in the base core

This function when called triggers a manual panic in the thread containing the runtime, breaking sandboxing

It can be fixed by stubbing out the exposed op:

Deno.core.ops.op_panic = (msg) => { throw new Error(msg) };

References

github.com/Bromeon/js-sandbox
github.com/Bromeon/js-sandbox/issues/31
github.com/advisories/GHSA-4mw5-2636-4535
rustsec.org/advisories/RUSTSEC-2024-0403.html

Code Behaviors & Features

Detect and mitigate GHSA-4mw5-2636-4535 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →