CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-21620 – Deno's authorization headers not dropped when redirecting cross-origin
https://notcve.org/view.php?id=CVE-2025-21620
06 Jan 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2. Deno es un entorno de ejecución de JavaScript, TypeScript y WebAssembly con valores predeterminados seguros. C... • https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-32468 – Improper neutralization of input during web page generation ("Cross-site Scripting") in deno_doc HTML generator
https://notcve.org/view.php?id=CVE-2024-32468
25 Nov 2024 — Deno is a runtime for JavaScript and TypeScript written in rust. Several cross-site scripting vulnerabilities existed in the `deno_doc` crate which lead to Self-XSS with deno doc --html. 1.) XSS in generated `search_index.js`, `deno_doc` outputs a JavaScript file for searching. However, the generated file used `innerHTML` on unsanitzed HTML input. 2.) XSS via property, method and enum names, `deno_doc` did not sanitize property names, method names and enum names. • https://github.com/denoland/deno/security/advisories/GHSA-qqwr-j9mm-fhw6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34346 – Deno contains a permission escalation via open of privileged files with missing `--deny` flag
https://notcve.org/view.php?id=CVE-2024-34346
07 May 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`. Users who grant read and write access to the entire filesystem may not realize that these access to these files ... • https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w • CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32477 – Race condition when flushing input stream leads to permission prompt bypass
https://notcve.org/view.php?id=CVE-2024-32477
18 Apr 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. By using ANSI escape sequences and a race between `libc::tcflush(0, libc::TCIFLUSH)` and reading standard input, it's possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel to send and g... • https://github.com/denoland/deno/security/advisories/GHSA-95cj-3hr2-7j5j • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27936 – Deno interactive permission prompt spoofing via improper ANSI stripping
https://notcve.org/view.php?id=CVE-2024-27936
06 Mar 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the co... • https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27935 – Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination
https://notcve.org/view.php?id=CVE-2024-27935
06 Mar 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended ... • https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6 • CWE-488: Exposure of Data Element to Wrong Session •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27934 – *const c_void / ExternalPointer unsoundness leading to use-after-free
https://notcve.org/view.php?id=CVE-2024-27934
06 Mar 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code... • https://github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wf • CWE-416: Use After Free •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27933 – Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass
https://notcve.org/view.php?id=CVE-2024-27933
06 Mar 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file... • https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214 • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27932 – Deno's improper suffix match testing for DENO_AUTH_TOKENS
https://notcve.org/view.php?id=CVE-2024-27932
06 Mar 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue Deno es un ... • https://github.com/denoland/deno/blob/3f4639c330a31741b0efda2f93ebbb833f4f95bc/cli/auth_tokens.rs#L89 • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27931 – Insufficient permission checking in `Deno.makeTemp*` APIs
https://notcve.org/view.php?id=CVE-2024-27931
05 Mar 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1. • https://github.com/denoland/deno/security/advisories/GHSA-hrqr-jv8w-v9jh • CWE-20: Improper Input Validation •