CVE-2021-41641 — Link Following in Deno

Description

Deno <=1.14.0 file sandbox does not handle symbolic links correctly. When running Deno with specific write access, the Deno.symlink method can be used to gain access to any directory.

How to fix CVE-2021-41641

To remediate CVE-2021-41641, upgrade the affected package to a fixed version below.

crates.io/deno—upgrade to 1.16.0 or later

Is CVE-2021-41641 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.16.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.4	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-41641
WEBgithub.com/denoland/deno/commit/d44011a69e0674acfa9c59bd7ad7f0523eb61d42
WEBgithub.com/denoland/deno/issues/12152
WEBgithub.com/denoland/deno/pull/12554
WEB