GHSA-fwfx-rrv8-crpf: op_panic in the base runtime can force a panic in the runtime's containing thread

December 4, 2024

Affected versions use deno_core releases that expose Deno.core.ops.op_panic to the JS runtime in the base core

This function when called triggers a manual panic in the thread containing the runtime.

It can be fixed by stubbing out the exposed op:

Deno.core.ops.op_panic = (msg) => { throw new Error(msg) };

References

github.com/advisories/GHSA-fwfx-rrv8-crpf
github.com/rscarson/rustyscript/issues/174
github.com/rscarson/rustyscripthttps://github.com/rscarson/rustyscript
rustsec.org/advisories/RUSTSEC-2024-0405.html

Code Behaviors & Features

Detect and mitigate GHSA-fwfx-rrv8-crpf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →