CVE-2024-27934 — Use After Free in Deno

CWE-416 — Use After Free3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 55.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Deno Denoland Deno

Timeline

Latest updateMar 6

PublishedMar 21

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain ar…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages3 packages

▶NVDdeno/deno1.36.2 — 1.40.3

▶crates.iodeno/deno1.36.2 — 1.40.3

▶CVEListV5denoland/deno>= 1.36.2, < 1.40.3

🔴Vulnerability Details

GHSA

*const c_void / ExternalPointer unsoundness leading to use-after-free↗2024-03-06

▶

OSV

*const c_void / ExternalPointer unsoundness leading to use-after-free↗2024-03-06

▶