fix: prevent panic on dynamic import with non-string error name#32498
Merged
bartlomieju merged 2 commits intodenoland:mainfrom Mar 5, 2026
Merged
fix: prevent panic on dynamic import with non-string error name#32498bartlomieju merged 2 commits intodenoland:mainfrom
bartlomieju merged 2 commits intodenoland:mainfrom
Conversation
When a dynamic import rejects with an Error whose 'name' property is a non-string type (e.g., Number, Object, Symbol), serde_v8::from_v8 would fail and the subsequent .unwrap() would panic, terminating the entire Deno process. This changes the .unwrap() to .unwrap_or_default(), allowing the error to be handled gracefully with a default NativeJsError (which has name: None, message: None). Security: GHSA-2f8r-ppr9-ff8f
When processing errorAdditionalPropertyKeys, if a property getter throws, the .unwrap() calls on arr.get_index() and exception.get() would panic. Replace unwrap() with let-else patterns that skip problematic properties instead of crashing.
bartlomieju
approved these changes
Mar 5, 2026
bartlomieju
pushed a commit
to bartlomieju/deno
that referenced
this pull request
Mar 5, 2026
…land#32498) Fixes a panic where a dynamic import rejecting with an Error whose `name` property is a non-string type (Number, Object, Symbol) would panic and terminate the Deno process. --------- Co-authored-by: kaju <kajukitli@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a denial-of-service vulnerability where a dynamic import rejecting with an Error whose
nameproperty is a non-string type (Number, Object, Symbol) would panic and terminate the Deno process.The Problem
In
catch_dynamic_import_promise_error, the code deserializes the error:When
nameis not a string,serde_v8::from_v8returns an error and.unwrap()panics. This bypasses all JavaScript-level error handling.The Fix
Replace
.unwrap()with.unwrap_or_default():NativeJsErroralready derivesDefault, so this gracefully handles malformed errors withname: None, message: None.PoC (before fix)
Result:
panicked at libs/core/runtime/bindings.rs:961:72