CVE-2024-27931
Insufficient permission checking in `Deno.makeTemp*` APIs
Description
### Impact Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. The permission check would prompt for the base directory of the API, but the final file that was created would be outside of this directory: ``` $ mkdir /tmp/good $ mkdir /tmp/bad $ deno repl --allow-write=/tmp/good > Deno.makeTempFileSync({ dir: "/tmp/bad" }) ┌ ⚠️ Deno requests write access to "/tmp/bad". ├ Requested by `Deno.makeTempFile()` API. ├ Run again with --allow-write to bypass this prompt. └ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all write permissions) > n ❌ Denied write access to "/tmp/bad". Uncaught PermissionDenied: Requires write access to "/tmp/bad", run again with the --allow-write flag at Object.makeTempFileSync (ext:deno_fs/30_fs.js:176:10) at <anonymous>:1:27 > Deno.makeTempFileSync({ dir: "/tmp/good", prefix: "../bad/" }) "/tmp/good/../bad/a9432ef5" $ ls -l /tmp/bad/a9432ef5 -rw-------@ 1 user group 0 Mar 4 09:20 /tmp/bad/a9432ef5 ``` ### Patches This is fixed in Deno 1.41.1.
How to fix CVE-2024-27931
To remediate CVE-2024-27931, upgrade the affected package to a fixed version below.
- —upgrade to 1.41.1 or later
Is CVE-2024-27931 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.41.1