CVE-2024-27935

moderate-risk
Published 2024-03-21

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.

Do I need to act?

-
0.40% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Deno

References (6)

Patch https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6
Exploit https://github.com/denoland/deno/issues/20188
Vendor Advisory https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp
Patch https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6
Exploit https://github.com/denoland/deno/issues/20188
Vendor Advisory https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp
33
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal