CVE-2024-32477 Overview
CVE-2024-32477 affects Deno, a JavaScript, TypeScript, and WebAssembly runtime built around secure defaults. The vulnerability allows attackers to bypass Deno's permission prompt using ANSI escape sequences combined with a race condition against libc::tcflush(0, libc::TCIFLUSH). Attackers inject characters into standard input by abusing terminal emulator responses to info-request escape sequences such as \033[6n. This manipulation forces the permission prompt to allow unsafe actions regardless of user input. Deno patched the issue in version 1.42.2. The flaw is classified under [CWE-78] and carries a CVSS score of 7.4.
Critical Impact
Attackers can bypass Deno's permission policy and execute unsafe operations without user consent by manipulating terminal input streams.
Affected Products
- Deno runtime versions prior to 1.42.2
- Applications and scripts relying on Deno permission prompts
- Interactive Deno CLI sessions running in terminal emulators that respond to ANSI info-request sequences
Discovery Timeline
- 2024-04-18 - CVE-2024-32477 published to NVD
- 2025-09-04 - Last updated in NVD database
Technical Details for CVE-2024-32477
Vulnerability Analysis
Deno enforces a permission model that prompts users before allowing sensitive operations such as file system access, network calls, or subprocess execution. The prompt reads user confirmation from standard input. This vulnerability undermines that trust boundary by injecting attacker-controlled bytes into the same input stream the prompt reads from.
The issue is a race condition between flushing the terminal input buffer with libc::tcflush(0, libc::TCIFLUSH) and the subsequent read from standard input. Deno attempts to flush pending input before showing the prompt to prevent pre-typed answers. The flush and read are not atomic, which leaves a window for injected data to land in the buffer.
Root Cause
The root cause is improper handling of the bidirectional pseudo-terminal (PTY) channel used by both standard streams and terminal control sequences. ANSI escape sequences such as \033[6n (Device Status Report for cursor position) cause the terminal emulator to write a reply back through the same PTY channel that Deno reads as standard input. Because the input flush and the prompt read are not synchronized against asynchronous terminal replies, malicious script output can seed the input buffer with a confirmation response.
Attack Vector
An attacker delivers a Deno script, or content rendered by a Deno script, containing crafted ANSI escape sequences. When the script triggers a permission prompt, the embedded sequences cause the terminal to send synthetic input back to Deno. The race condition between tcflush and the input read allows the synthetic input to satisfy the prompt and grant the requested permission. No user interaction beyond running the script is required. The vulnerability is described in detail in the Deno GitHub Security Advisory GHSA-95cj-3hr2-7j5j.
Detection Methods for CVE-2024-32477
Indicators of Compromise
- Deno scripts that emit ANSI escape sequences such as \033[6n, \033[5n, or other Device Status Report queries before triggering permission prompts
- Permission grants recorded in audit trails for operations the user did not visibly approve
- Execution of Deno runtime binaries at versions earlier than 1.42.2
Detection Strategies
- Inventory all Deno installations and flag versions older than 1.42.2 using software asset management telemetry
- Inspect Deno scripts and dependencies for embedded terminal control sequences combined with calls that trigger permission prompts such as Deno.readFile, Deno.writeFile, Deno.run, or fetch
- Hunt for process executions where the Deno binary is invoked with untrusted script paths or piped input
Monitoring Recommendations
- Log Deno process executions including command-line arguments and parent process context
- Monitor file system and network access originating from Deno processes for activity inconsistent with expected workloads
- Alert on Deno version downgrades or installations of unpatched releases in development and CI environments
How to Mitigate CVE-2024-32477
Immediate Actions Required
- Upgrade Deno to version 1.42.2 or later on all developer workstations, build agents, and production hosts
- Audit existing Deno scripts and third-party modules for untrusted sources that could deliver malicious escape sequences
- Restrict execution of Deno scripts from untrusted origins in CI/CD pipelines until upgrades complete
Patch Information
Deno fixed the vulnerability in release 1.42.2. The fix is documented in the Deno GitHub Security Advisory GHSA-95cj-3hr2-7j5j. Upgrade using the official installer or package manager appropriate to the platform.
Workarounds
- Avoid running Deno scripts from untrusted sources in interactive terminal sessions until patched
- Invoke Deno with explicit permission flags such as --allow-read=<path> or --deny-all to remove reliance on interactive prompts
- Run Deno workloads in non-interactive environments or containers where standard input is not attached to a PTY
# Upgrade Deno to a patched release
deno upgrade --version 1.42.2
# Verify installed version
deno --version
# Run scripts with explicit permissions instead of interactive prompts
deno run --allow-read=./data --allow-net=api.example.com script.ts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
