CVE-2024-27935

2024-03-2102:52:22

CWE-488

[email protected]

web.nvd.nist.gov

deno

javascript

typescript

webassembly

node.js

vulnerability

data contamination

security

nvd

cve-2024-27935

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

0.0004 Low

EPSS

Percentile

15.7%

JSON

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno’s Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.

Affected configurations

Vulners

Node

denolanddenoRange1.35.1–1.36.3

CNA Affected

[
  {
    "vendor": "denoland",
    "product": "deno",
    "versions": [
      {
        "version": ">= 1.35.1, < 1.36.3",
        "status": "affected"
      }
    ]
  }
]