CVE-2025-24015 — Improper Verification of Cryptographic Signature in Deno

CWE-347 — Improper Verification of Cryptographic Signature3 documents3 sources

Severity

7.7HIGHNVD

EPSS

0.2%

top 61.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Deno Denoland Deno

Timeline

PublishedJun 3

Latest updateJun 4

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removin…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDdeno/deno1.46.0 — 2.1.7

▶crates.iodeno/deno1.46.0 — 2.1.7

▶CVEListV5denoland/deno>= 1.46.0, < 2.1.7

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Deno's AES GCM authentication tags are not verified↗2025-06-04

▶

GHSA

Deno's AES GCM authentication tags are not verified↗2025-06-04

▶