CVE-2023-28445: 
Rust vulnerability analysis and mitigation

Deno, a runtime for JavaScript and TypeScript built in Rust, was found to have a critical security vulnerability (CVE-2023-28445) affecting version 1.32.0. The vulnerability was discovered and disclosed on March 23, 2023, involving resizable ArrayBuffers that could lead to out-of-bound read/write operations when passed to asynchronous functions (GitHub Advisory).

The vulnerability stems from improper handling of resizable ArrayBuffers in asynchronous built-in functions. When these ArrayBuffers are shrunk during an asynchronous operation, it could result in an out-of-bound read/write condition. The vulnerability has been assigned a CVSS v3.1 score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The issue is classified under CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write) (NVD, GitHub Advisory).

The vulnerability could potentially lead to unauthorized data access and modification through out-of-bound read/write operations. However, the impact was limited as only version 1.32.0 was affected, and Deno Deploy users were not impacted (GitHub Advisory).

The vulnerability was addressed in Deno version 1.32.1 by temporarily disabling resizable ArrayBuffers. A proper fix was planned for version 1.32.2, which would re-enable resizable ArrayBuffers. As a workaround, users can run Deno with the flag --v8-flags=--no-harmony-rab-gsab to disable resizable ArrayBuffers (GitHub Advisory, Deno Release).