CVE-2023-28445 : What You Need to Know
Learn about CVE-2023-28445 affecting Deno, leading to out-of-bounds read and write vulnerabilities. Mitigation steps and impact details included.
This article provides details about CVE-2023-28445, which involves Deno improperly handling resizable ArrayBuffer, leading to potential out-of-bounds read and write vulnerabilities.
Understanding CVE-2023-28445
CVE-2023-28445 is a vulnerability in Deno, a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. The vulnerability arises when resizable ArrayBuffers are passed to asynchronous functions and then shrunk during the asynchronous operation, potentially resulting in out-of-bound reads and writes.
What is CVE-2023-28445?
The vulnerability in Deno affects version 1.32.0, and it allows for out-of-bound read and write operations due to improperly handling resizable ArrayBuffers.
The Impact of CVE-2023-28445
This vulnerability has a critical severity level with a CVSS base score of 10. It has a high impact on confidentiality, integrity, and availability. While there is no reported exploitation in the wild, the potential consequences of unauthorized access to sensitive information or system compromise make this a significant threat.
Technical Details of CVE-2023-28445
The technical details of CVE-2023-28445 are as follows:
Vulnerability Description
The vulnerability arises from the improper handling of resizable ArrayBuffers, leading to out-of-bound read and write operations.
Affected Systems and Versions
The affected system is Deno version 1.32.0. Users of Deno Deploy are not affected by this vulnerability.
Exploitation Mechanism
An attacker could potentially exploit this vulnerability to gain unauthorized access to sensitive data or execute arbitrary code within the context of the affected system.
Mitigation and Prevention
To mitigate the risks associated with CVE-2023-28445, the following steps are recommended:
Immediate Steps to Take
- Users should update to version 1.32.1 of Deno, which temporarily disables resizable ArrayBuffers as a workaround.
- Run Deno with the
--v8-flags=--no-harmony-rab-gsabLong-Term Security Practices
- Follow best practices for secure coding and regularly update and patch Deno to protect against known vulnerabilities.
- Maintain awareness of security advisories and apply security updates promptly to mitigate potential risks.
Patching and Updates
- Deno 1.32.1 has addressed the vulnerability by disabling resizable ArrayBuffers temporarily. Users are advised to update to this version to protect their systems against potential exploitation.