CVE-2024-27934— *const c_void / ExternalPointer unsoundness leading to use-after-free
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-27934
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
*const c_void / ExternalPointer unsoundness leading to use-after-free
Source: NVD (National Vulnerability Database)
Vulnerability Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable for both `*const c_void` and `ExternalPointer` implementations. Version 1.40.3 fixes this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
释放后使用
Source: NVD (National Vulnerability Database)
Vulnerability Title
Deno 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Deno是开源的一个简单、现代且安全的JavaScript和 TypeScript运行环境。它使用 V8 并使用 Rust 构建。 Deno 1.36.2 到 1.40.3版本存在安全漏洞,该漏洞源于const c_void、ExternalPointer 不安全,导致释放后重用,从而导致任意代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-27934
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-27934
请登录查看更多情报信息。
- https://github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wfx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2024-27934
Same Patch Batch · denoland · 2024-03-06 · 5 CVEs total
| CVE-2024-27936 | 8.8 HIGH | Deno interactive permission prompt spoofing via improper ANSI stripping |
| CVE-2024-27933 | 8.3 HIGH | Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt |
| CVE-2024-27935 | 7.2 HIGH | Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination |
| CVE-2024-27932 | 4.6 MEDIUM | Deno's improper suffix match testing for DENO_AUTH_TOKENS |
IV. Related Vulnerabilities
Same product: deno
- CVE-2026-32260
Command Injection via incomplete shell metacharacter blockli - CVE-2026-27190
Deno has a Command Injection via Incomplete shell metacharac - CVE-2026-22864
Deno has an incomplete fix for command-injection prevention - CVE-2026-22863
Deno node:crypto doesn't finalize cipher - CVE-2025-61787
Deno is Vulnerable to Command Injection on Windows During Ba
Same vendor: denoland
- CVE-2026-32260
Command Injection via incomplete shell metacharacter blockli - CVE-2026-27190
Deno has a Command Injection via Incomplete shell metacharac - CVE-2026-22864
Deno has an incomplete fix for command-injection prevention - CVE-2026-22863
Deno node:crypto doesn't finalize cipher - CVE-2025-61787
Deno is Vulnerable to Command Injection on Windows During Ba
V. Comments for CVE-2024-27934
No comments yet