Static imports inside dynamically imported modules do not adhere to permission checks
CVE-2021-32619

9.8CRITICAL

Key Information:

Vendor: Denoland
Status: Deno
Vendor: CVE Published:; 28 May 2021

What is CVE-2021-32619?

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through import() or new Worker might have been able to bypass network and file system permission checks when statically importing other modules. The vulnerability has been patched in Deno release 1.10.2.

Affected Version(s)

deno < 1.10.2

References

https://github.com/denoland/deno/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2021
Vulnerability Reserved
May 12, 2021

JSON

Denoland

What is CVE-2021-32619?

Affected Version(s)

References

CVSS V3.1

Timeline