CVE-2024-34346
📋 TL;DR
This CVE describes a sandbox escape vulnerability in Deno where granting file read/write permissions could unintentionally provide broader system access. By accessing privileged files like /proc/self/environ or /proc/self/mem, attackers could bypass sandbox restrictions and gain permissions equivalent to --allow-env or --allow-all. Users running Deno with --allow-read or --allow-write flags are affected.
💻 Affected Systems
- Deno
📦 What is this software?
Deno by Deno
⚠️ Risk & Real-World Impact
Worst Case
Complete sandbox escape allowing arbitrary code execution with full system privileges, equivalent to running with --allow-all permission.
Likely Case
Partial sandbox bypass allowing unauthorized access to environment variables, memory, or other privileged system resources.
If Mitigated
Limited impact with proper permission restrictions and updated Deno versions that require explicit --allow-all for privileged paths.
🎯 Exploit Status
Exploitation requires the ability to execute code within Deno sandbox with file permissions. Public advisory includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Deno 1.43 and above
Vendor Advisory: https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w
Restart Required: Yes
Instructions:
1. Update Deno to version 1.43 or later using your package manager. 2. For npm: 'npm update deno'. 3. For direct install: Use deno upgrade command or download from official releases.
🔧 Temporary Workarounds
Restrict file permissions
allAvoid using --allow-read or --allow-write with broad paths. Use specific directory permissions instead of entire filesystem access.
deno run --allow-read=/specific/path script.ts
deno run --allow-write=/specific/path script.ts
Avoid privileged paths
allExplicitly block access to /proc, /sys, /dev, /etc on Unix and \ paths on Windows in application logic.
🧯 If You Can't Patch
- Minimize use of --allow-read and --allow-write flags. Use specific directory permissions instead of broad filesystem access.
- Implement additional sandboxing layers like containerization (Docker) with restricted capabilities.
🔍 How to Verify
Check if Vulnerable:
Run 'deno --version' and check if version is below 1.43. Also check if applications use --allow-read or --allow-write without path restrictions.Check Version:
deno --versionVerify Fix Applied:
Confirm Deno version is 1.43 or higher with 'deno --version'. Test that privileged paths require --allow-all flag.📡 Detection & Monitoring
Log Indicators:
- Deno process accessing /proc/self/environ, /proc/self/mem, or other privileged paths
- Unexpected permission escalation in Deno logs
Network Indicators:
- Unusual outbound connections from Deno processes suggesting sandbox escape
SIEM Query:
process.name:deno AND (file.path:/proc/self/* OR file.path:/etc/* OR file.path:/dev/*)