rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
advisory-db/crates/js-sandbox/RUSTSEC-2024-0403.md
djc 2e45336771 Synchronize IDs (2025-10-28)
2025-10-28 07:02:18 +01:00

676 B
Raw Permalink Blame History 

[advisory]
id = "RUSTSEC-2024-0403"
package = "js-sandbox"
date = "2024-07-18"
url = "https://github.com/Bromeon/js-sandbox/issues/31"
categories = ["denial-of-service"]
aliases = ["GHSA-4mw5-2636-4535"]

[versions]
patched = []

op_panic in the base runtime can force a panic in the runtime's containing thread

Affected versions use deno_core releases that expose Deno.core.ops.op_panic to the JS runtime in the base core

This function when called triggers a manual panic in the thread containing the runtime, breaking sandboxing

It can be fixed by stubbing out the exposed op:

Deno.core.ops.op_panic = (msg) => { throw new Error(msg) };