CVE-2021-41641 – This vulnerability in Deno's file sandbox allow... (How to Fix)

📋 TL;DR

This vulnerability in Deno's file sandbox allows attackers to bypass directory restrictions via symbolic links. When Deno is run with write permissions, the Deno.symlink method can be exploited to access any directory on the system. This affects all Deno applications running vulnerable versions with write access enabled.

💻 Affected Systems

Products:

Deno

Versions: All versions <= 1.14.0

Operating Systems: All platforms where Deno runs (Linux, macOS, Windows)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Deno is run with --allow-write or similar write permissions. Applications without write permissions are not affected.

📦 What is this software?

Deno by Deno

View all CVEs affecting Deno →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to read, modify, or delete any file on the host system, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Unauthorized file access and modification within the host filesystem, potentially exposing sensitive configuration files, credentials, or application data.

🟢

If Mitigated

Limited impact if proper permission restrictions are in place and applications run with minimal necessary privileges.

🌐 Internet-Facing: MEDIUM - Requires Deno application with write permissions exposed to untrusted users, which is less common for internet-facing services.

🏢 Internal Only: HIGH - Internal applications with write permissions could be exploited by malicious insiders or compromised internal systems to escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to execute Deno code with write permissions. The vulnerability is well-documented with proof-of-concept examples available in public reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Deno 1.14.1 and later

Vendor Advisory: https://github.com/denoland/deno/issues/12152

Restart Required: Yes

Instructions:

1. Update Deno using: deno upgrade --version 1.14.1 or later
2. Restart all Deno applications
3. Verify the update with: deno --version

🔧 Temporary Workarounds

Remove write permissions

all

Run Deno applications without --allow-write or other write permissions

Run without: --allow-write flag

Use read-only permissions

all

Only grant read permissions when write access is not required

Use --allow-read instead of --allow-write

🧯 If You Can't Patch

Run Deno applications with minimal permissions, avoiding --allow-write unless absolutely necessary
Implement strict input validation and sandboxing for any code that uses Deno.symlink

🔍 How to Verify

Check if Vulnerable:

Check if running Deno version <= 1.14.0 and if applications use --allow-write permissions

Check Version:

deno --version

Verify Fix Applied:

Verify Deno version is 1.14.1 or higher and test symbolic link behavior in sandboxed environment

📡 Detection & Monitoring

Log Indicators:

Multiple Deno.symlink() calls with suspicious paths
File access patterns outside expected sandbox directories

Network Indicators:

Unusual outbound connections following file access attempts

SIEM Query:

process.name:"deno" AND process.args:"--allow-write" AND process.args:"symlink"

📊 Metadata

CVE ID: CVE-2021-41641

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-59

Published: June 12, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/denoland/deno/issues/12152 Exploit,Issue Tracking,Third Party Advisory
https://hackers.report/report/614876917a7b150012836bb8 Exploit,Third Party Advisory
https://github.com/denoland/deno/issues/12152 Exploit,Issue Tracking,Third Party Advisory
https://hackers.report/report/614876917a7b150012836bb8 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41641, you might also want to check these: