Skip to content

op_panic in the base runtime can force a panic in the runtime's containing thread

Moderate severity GitHub Reviewed Published Dec 4, 2024 to the GitHub Advisory Database • Updated Dec 4, 2024

Package

cargo js-sandbox (Rust)

Affected versions

<= 0.1.6

Patched versions

None

Description

Affected versions use deno_core releases that expose Deno.core.ops.op_panic to the JS runtime in the base core

This function when called triggers a manual panic in the thread containing the runtime, breaking sandboxing

It can be fixed by stubbing out the exposed op:

Deno.core.ops.op_panic = (msg) => { throw new Error(msg) };

References

Published to the GitHub Advisory Database Dec 4, 2024
Reviewed Dec 4, 2024
Last updated Dec 4, 2024

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-4mw5-2636-4535

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.