Skip to content

op_panic in the base runtime can force a panic in the runtime's containing thread

Moderate severity GitHub Reviewed Published Dec 4, 2024 to the GitHub Advisory Database • Updated Dec 4, 2024

Package

cargo rustyscript (Rust)

Affected versions

>= 0.4.0, < 0.6.1

Patched versions

0.6.1

Description

Affected versions use deno_core releases that expose Deno.core.ops.op_panic to the JS runtime in the base core

This function when called triggers a manual panic in the thread containing the runtime.

It can be fixed by stubbing out the exposed op:

Deno.core.ops.op_panic = (msg) => { throw new Error(msg) };

References

Published to the GitHub Advisory Database Dec 4, 2024
Reviewed Dec 4, 2024
Last updated Dec 4, 2024

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-fwfx-rrv8-crpf

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.