CVE-2024-27935

HIGH EPSS 49.3%
Published Mar 21, 20242y ago · Modified Jun 17, 20262w ago
8.3 CVSS 3.1
High
Find Similar
Published Mar 21, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.

CVSS Details

Base Score
8.3
Exploitability
3.9
Impact
3.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Low
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
49.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-488

Affected Products 1

VendorProductVersionRange
denodeno*≥1.35.1  –  <1.36.3

References 3

  • github.com https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6
    Patch
  • github.com https://github.com/denoland/deno/issues/20188
    ExploitIssue Tracking
  • github.com https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp
    Vendor Advisory

Remediation

  • github.com https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6
    Patch