CVE-2024-27933
📋 TL;DR
This vulnerability in Deno runtime version 1.39.0 allows arbitrary file descriptor manipulation, enabling attackers to bypass permission prompts and achieve arbitrary code execution on the host machine. It affects any system running Deno 1.39.0 where untrusted code can be executed. The bug allows complete permission bypass from zero initial permissions.
💻 Affected Systems
- Deno
📦 What is this software?
Deno by Deno
⚠️ Risk & Real-World Impact
Worst Case
Full host compromise with arbitrary code execution, privilege escalation, and complete system control regardless of Deno's permission model.
Likely Case
Unauthorized access to filesystem, network resources, and execution of arbitrary commands by bypassing Deno's security prompts.
If Mitigated
Limited impact if running with minimal permissions and strict code isolation, but still significant due to permission bypass capability.
🎯 Exploit Status
Working exploit exists that achieves arbitrary code execution by bypassing prompts from zero permissions. Attack can be conducted silently as stderr can be closed to suppress prompt outputs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.39.1
Vendor Advisory: https://github.com/denoland/deno/releases/tag/v1.39.1
Restart Required: Yes
Instructions:
1. Stop all Deno processes. 2. Update Deno using: deno upgrade --version 1.39.1. 3. Verify update with: deno --version. 4. Restart applications using Deno.
🔧 Temporary Workarounds
Downgrade to previous version
allRevert to Deno version 1.38.8 or earlier which is not affected
deno upgrade --version 1.38.8
Disable IPC functionality
allRun Deno with --no-ipc flag to disable inter-process communication features
deno run --no-ipc your_script.ts
🧯 If You Can't Patch
- Isolate Deno runtime in container or VM with strict network and filesystem restrictions
- Implement strict allow-lists for Deno permissions using --allow-* flags with minimal scope
🔍 How to Verify
Check if Vulnerable:
Run: deno --version and check if output shows 1.39.0Check Version:
deno --versionVerify Fix Applied:
Run: deno --version and confirm output shows 1.39.1 or higher📡 Detection & Monitoring
Log Indicators:
- Unexpected permission prompt bypasses
- File descriptor manipulation errors
- Cache API access without proper permissions
Network Indicators:
- Unexpected outbound connections from Deno processes
- IPC communication patterns matching exploit
SIEM Query:
process.name:"deno" AND process.version:"1.39.0" OR event.action:"permission_bypass"🔗 References
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99
- https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b
- https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392
- https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265
- https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99
- https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b
- https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392
- https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq
