CVE-2023-33966: 
Rust vulnerability analysis and mitigation

Deno, a runtime for JavaScript and TypeScript, introduced a security vulnerability in version 1.34.0 and deno_runtime 0.114.0. The vulnerability (CVE-2023-33966) was discovered on May 31, 2023, where outbound HTTP requests made using the built-in node:http or node:https modules incorrectly bypassed the network permission allow list (--allow-net) check (Vendor Advisory).

The vulnerability stems from an improper privilege management issue (CWE-269) where the built-in Node.js compatibility modules (node:http and node:https) failed to enforce network permission checks. The vulnerability received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows applications to make unauthorized network requests, bypassing Deno's security permissions system. This could potentially lead to unauthorized data exfiltration or communication with malicious servers, even when the application is run without explicit network permissions.

The vulnerability has been patched in Deno v1.34.1 and deno_runtime 0.114.1. Users are strongly recommended to upgrade to these versions or later. No alternative workarounds are available for this security issue (Release Notes).