{"api_version":"1","generated_at":"2026-07-15T18:55:44+00:00","cve":"CVE-2022-24783","urls":{"html":"https://cve.report/CVE-2022-24783","api":"https://cve.report/api/cve/CVE-2022-24783.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-24783","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-24783"},"summary":{"title":"CVE-2022-24783","description":"Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. All users are recommended to upgrade to 1.20.3 immediately.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-03-25 22:15:00","updated_at":"2023-06-30 18:50:00"},"problem_types":["CWE-863"],"metrics":[],"references":[{"url":"https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f","name":"https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f","refsource":"CONFIRM","tags":[],"title":"Sandbox bypass leading to arbitrary code execution · Advisory · denoland/deno · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-24783","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24783","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"24783","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"deno","cpe5":"deno","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-24783","STATE":"PUBLIC","TITLE":"Sandbox bypass leading to arbitrary code execution in Deno"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"deno","version":{"version_data":[{"version_value":">= 1.18.0, < 1.20.3"}]}}]},"vendor_name":"denoland"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. All users are recommended to upgrade to 1.20.3 immediately."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":10,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-269: Improper Privilege Management"}]}]},"references":{"reference_data":[{"name":"https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f","refsource":"CONFIRM","url":"https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f"}]},"source":{"advisory":"GHSA-838h-jqp6-cf2f","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-03-25 22:15:00","lastModifiedDate":"2023-06-30 18:50:00","problem_types":["CWE-863"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":10,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*","versionStartIncluding":"1.18.0","versionEndExcluding":"1.20.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"24783","Ordinal":"228254","Title":"CVE-2022-24783","CVE":"CVE-2022-24783","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"24783","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}