CVE-2024-27932 — Improper Input Validation in Deno

CWE-20 — Improper Input Validation3 documents3 sources

Severity

4.6MEDIUMNVD

EPSS

0.5%

top 35.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Deno Denoland Deno

Timeline

Latest updateMar 6

PublishedMar 21

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages3 packages

▶NVDdeno/deno1.8.0 — 1.40.4

▶crates.iodeno/deno1.8.0 — 1.40.4

▶CVEListV5denoland/deno>= 1.8.0, < 1.40.4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Deno's improper suffix match testing for DENO_AUTH_TOKENS↗2024-03-06

▶

GHSA

Deno's improper suffix match testing for DENO_AUTH_TOKENS↗2024-03-06

▶