A high-severity vulnerability has been discovered in the Deno runtime, which could allow untrusted code to bypass critical security restrictions. Successful exploitation allows an attacker to read or modify sensitive files outside of the intended sandboxed environment. This could lead to data theft, unauthorized system modification, and a full compromise of the host system.

The vulnerability is a path traversal flaw within Deno's file system permission model, leading to a sandbox escape. When a Deno script is executed with file system access restricted to a specific directory (e.g., using --allow-read=/app/), the runtime fails to properly validate paths that include symbolic links. An attacker can craft a malicious script that creates a symbolic link inside the permitted directory pointing to a sensitive location outside of it (e.g., /etc/). When the script then attempts to access a file via this symbolic link, the Deno runtime incorrectly follows the link, granting unauthorized read or write access to the target file system, effectively bypassing the security sandbox.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could lead to a severe breach of data confidentiality and integrity on the affected server. An attacker could read sensitive configuration files, access private user data, steal application source code, or modify critical system files to achieve persistent access or cause a denial of service. This poses a significant risk of data breaches, intellectual property theft, and potential system-wide compromise, which could result in severe reputational damage, regulatory fines, and financial loss.

Immediate Action: Apply vendor security updates immediately to patch the vulnerability. Following the update, it is crucial to monitor for any signs of exploitation attempts and to thoroughly review system and application access logs for anomalous activity that may have occurred prior to patching.

Proactive Monitoring: Monitor Deno process activity for unexpected file system access outside of intended directories, particularly involving symbolic link creation or traversal. Review application logs for errors or warnings related to file I/O operations. Implement File Integrity Monitoring (FIM) on critical configuration files and application directories to detect unauthorized modifications.

Compensating Controls: If immediate patching is not feasible, run Deno applications within a more restrictive secondary container (e.g., a minimal Docker container) with strict security policies. Scrutinize all third-party scripts and dependencies before execution. As a temporary measure, consider implementing operating system-level controls to prevent the user account running Deno from creating symbolic links, though this may impact legitimate functionality.

Public Exploit Available: false

Given the High severity (CVSS 8.1) of this sandbox escape vulnerability, immediate action is required. We strongly recommend that all system administrators prioritize the application of the vendor-supplied security updates across all affected environments, including development, testing, and production. Although this vulnerability is not currently listed on the CISA KEV catalog, its high impact and potential for widespread use make it a critical threat that must be addressed without delay to prevent system compromise.