CVE-2021-41641

HIGH8.4EPSS 0.13%

Link Following in Deno

Published: 6/13/2022Modified: 11/8/2023

Description

Deno <=1.14.0 file sandbox does not handle symbolic links correctly. When running Deno with specific write access, the Deno.symlink method can be used to gain access to any directory.

Affected packages (1)

crates.io/denofrom 0, < 1.16.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.4	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-41641
WEBhttps://github.com/denoland/deno/commit/d44011a69e0674acfa9c59bd7ad7f0523eb61d42
WEBhttps://github.com/denoland/deno/issues/12152
WEBhttps://github.com/denoland/deno/pull/12554
WEBhttps://hackers.report/report/614876917a7b150012836bb8