CVE-2023-33966
Last modified
CVE-2023-33966 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). EPSS estimates a 0.63% chance of exploitation in the next 30 days.
Description
Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. Users of Deno versions prior to 1.34.0 are unaffected. Deno Deploy users are unaffected. This problem has been patched in Deno v1.34.1 and deno_runtime 0.114.1 and all users are recommended to update to this version. No workaround is available for this issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Deno | Deno | 1.34.0 |
| Deno | Deno Runtime | 0.114.0 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-33966?
How severe is CVE-2023-33966?
How do I fix CVE-2023-33966?
Are you affected by CVE-2023-33966?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST