Cross-Session Data Contamination Vulnerability Affects Deno Versions 1.35.1-1.36.3
CVE-2024-27935

8.3HIGH

Key Information:

Vendor

Denoland

Status
Deno
Vendor
CVE Published:
21 March 2024

What is CVE-2024-27935?

A vulnerability has been identified in the Deno runtime, specifically affecting its Node.js compatibility layer. This issue results from the reuse of a global buffer during asynchronous read operations from Node.js streams, which can lead to cross-session data contamination. In situations where multiple sessions are accessing streams, data intended for one session may inadvertently be accessed by another. This vulnerability particularly impacts all users employing the Deno runtime for network communications or working with streams that may indirectly utilize Node.js libraries. Users are advised to update to version 1.36.3 or later, where this issue has been resolved.

Affected Version(s)

deno >= 1.35.1, < 1.36.3

References

https://github.com/denoland/deno/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/denoland/deno/issues/20188
x_refsource_MISC
https://github.com/denoland/deno/commit/3e9fb8aafd9834eba...
x_refsource_MISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.