Reported

July 18, 2024

Issued

December 4, 2024

Package

js-sandbox (crates.io)

Type

Vulnerability

Categories

• denial-of-service

References

• https://github.com/Bromeon/js-sandbox/issues/31

Patched

no patched versions

Description

Affected versions use deno_core releases that expose Deno.core.ops.op_panic to the JS runtime in the base core

This function when called triggers a manual panic in the thread containing the runtime, breaking sandboxing

It can be fixed by stubbing out the exposed op:

Deno.core.ops.op_panic = (msg) => { throw new Error(msg) };

Advisory available under CC0-1.0 license.