CVE-2023-28445
Deno improperly handles resizable ArrayBuffer
Description
### Impact [Resizable ArrayBuffers](https://github.com/tc39/proposal-resizablearraybuffer) passed to asynchronous native functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy users are not affected. ### Patches The problem has been resolved by disabling resizable ArrayBuffers temporarily in Deno 1.32.1. A future version of Deno will re-enable resizable ArrayBuffers with a proper fix. ### Workarounds Upgrade to Deno 1.32.1, or run with `--v8-flags=--no-harmony-rab-gsab` to disable resizable ArrayBuffers.
How to fix CVE-2023-28445
To remediate CVE-2023-28445, upgrade the affected package to a fixed version below.
- —upgrade to 1.32.1 or later
- —upgrade to 0.103.0 or later
- —upgrade to 0.88.0 or later
Is CVE-2023-28445 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 1.32.0, < 1.32.1
- >= 0.102.0, < 0.103.0
- >= 0.87.0, < 0.88.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |