CVE-2024-27932— Deno's improper suffix match testing for DENO_AUTH_TOKENS
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-27932
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Deno's improper suffix match testing for DENO_AUTH_TOKENS
Source: NVD (National Vulnerability Database)
Vulnerability Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Deno 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Deno是开源的一个简单、现代且安全的JavaScript和 TypeScript运行环境。它使用 V8 并使用 Rust 构建。 Deno v1.8.0到1.40.4版本存在安全漏洞,该漏洞源于Deno 不正确地检查导入说明符的主机名是否等于令牌主机名或其子级,导致令牌被发送到攻击者服务器。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-27932
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-27932
请登录查看更多情报信息。
- https://github.com/denoland/deno/security/advisories/GHSA-5frw-4rwq-xhcrx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2024-27932
Same Patch Batch · denoland · 2024-03-06 · 5 CVEs total
| CVE-2024-27936 | 8.8 HIGH | Deno interactive permission prompt spoofing via improper ANSI stripping |
| CVE-2024-27934 | 8.4 HIGH | *const c_void / ExternalPointer unsoundness leading to use-after-free |
| CVE-2024-27933 | 8.3 HIGH | Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt |
| CVE-2024-27935 | 7.2 HIGH | Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination |
IV. Related Vulnerabilities
Same product: deno
- CVE-2026-32260
Command Injection via incomplete shell metacharacter blockli - CVE-2026-27190
Deno has a Command Injection via Incomplete shell metacharac - CVE-2026-22864
Deno has an incomplete fix for command-injection prevention - CVE-2026-22863
Deno node:crypto doesn't finalize cipher - CVE-2025-61787
Deno is Vulnerable to Command Injection on Windows During Ba
Same vendor: denoland
- CVE-2026-32260
Command Injection via incomplete shell metacharacter blockli - CVE-2026-27190
Deno has a Command Injection via Incomplete shell metacharac - CVE-2026-22864
Deno has an incomplete fix for command-injection prevention - CVE-2026-22863
Deno node:crypto doesn't finalize cipher - CVE-2025-61787
Deno is Vulnerable to Command Injection on Windows During Ba
Same weakness: CWE-20
V. Comments for CVE-2024-27932
No comments yet