Update Your Deno Installation to Patch Spoofing Vulnerability

CVECVE-2023-22499
CVSScvssV3_1: 7.5
SourceCVE-2023-22499

Deno, the JavaScript and TypeScript runtime, had a vulnerability that allowed malicious programs to spoof interactive permission prompts. By clearing the terminal screen after showing the prompt and writing a generic message, a program could trick users into thinking they approved an unrelated action.

This issue affected anyone using Deno’s Web Worker API who relied on interactive permission prompts to clearly see what permission they were approving. Although difficult to reproduce reliably, a malicious program could potentially abuse higher level permissions by hiding the actual permission request.

Deno developers have addressed this vulnerability in version 1.29.3. All Deno users are encouraged to upgrade to the latest version to protect themselves from any potential spoofing attacks. If unable to upgrade for some reason, running Deno with the “–no-prompt” flag can disable interactive permission prompts as a workaround, but is not as secure as updating.

It’s always best practice to keep any software up-to-date, especially when security issues are fixed. By taking a few minutes to update your Deno installation, you can help protect yourself from spoofing or similar vulnerabilities in the future.

References