CVE-2023-28445: Critical security vulnerability in the popular runtime, Deno
The Vulnerability: Resizable ArrayBuffers in Asynchronous Functions
Deno’s vulnerability lies in its handling of resizable ArrayBuffers passed to asynchronous functions. When these ArrayBuffers are shrunk during an asynchronous operation, an out-of-bound read/write can occur. The CVE-2023-28445 flaw, discovered by security researcher lucacasonato, affects only Deno version 1.32.0, and Deno Deploy users are not impacted. While there is currently no evidence of this vulnerability being exploited in the wild, the potential ramifications are significant, warranting immediate attention from developers.
Addressing the Vulnerability: Deno 1.32.1 and Workarounds
To address the security flaw, Deno has released version 1.32.1, which temporarily disables resizable ArrayBuffers. In the upcoming Deno 1.32.2 release, resizable ArrayBuffers will be re-enabled with a proper fix in place. In the meantime, developers can use the following workaround to mitigate any risks associated with the vulnerability: run Deno with–v8-flags=–no-harmony-rab-gsab to disable resizable ArrayBuffers.
Securing Your Deno Applications
To ensure the safety of your Deno applications, follow these recommended steps:
- Update Deno: Make sure you are running the latest version of Deno (1.32.1 or higher) to benefit from the temporary fix that disables resizable ArrayBuffers.
- Use the workaround: If you cannot immediately update Deno, run your application with –v8-flags=–no-harmony-rab-gsab to disable resizable ArrayBuffers and prevent potential exploitation of the vulnerability.
- Monitor for Deno updates: Keep an eye out for the release of Deno 1.32.2, which will re-enable resizable ArrayBuffers with a proper fix in place. Update to this version as soon as it becomes available.
- Stay informed: Follow Deno’s official channels for updates on security issues and other critical information related to the platform.
- Perform regular security audits: Regularly review your code and dependencies for potential security flaws, and address them promptly.
The discovery of this critical vulnerability in Deno highlights the importance of proactive security measures and staying informed about potential risks in the development ecosystem. By promptly addressing the issue and providing a workaround, Deno has demonstrated its commitment to the security of its users. Developers should take this opportunity to ensure their applications are running on the latest Deno version and follow best practices for maintaining a secure development environment.