CVE-2024-27935

Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination

Severity Score

7.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.

Deno es un tiempo de ejecución de JavaScript, TypeScript y WebAssembly. A partir de la versión 1.35.1 y antes de la versión 1.36.3, una vulnerabilidad en el tiempo de ejecución de compatibilidad de Node.js de Deno permite la contaminación de datos entre sesiones durante lecturas asincrónicas simultáneas de flujos de Node.js provenientes de sockets o archivos. El problema surge de la reutilización de un búfer global (BUF) en stream_wrap.ts utilizado como optimización del rendimiento para limitar las asignaciones durante estas operaciones de lectura asincrónicas. Esto puede provocar que los datos destinados a una sesión sean recibidos por otra sesión, lo que podría provocar daños en los datos y comportamientos inesperados. Esto afecta a todos los usuarios de Deno que usan la capa de compatibilidad de node.js para la comunicación de red u otras transmisiones, incluidos los paquetes que pueden requerir librerías de node.js indirectamente. La versión 1.36.3 contiene un parche para este problema.

*Credits: N/A

CVSS Scores

GitHubv3.1 7.2

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-28 CVE Reserved
2024-03-06 CVE Published
2024-03-07 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-488: Exposure of Data Element to Wrong Session

CAPEC

References (3)

URL	Tag	Source
https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6	X_refsource_misc
https://github.com/denoland/deno/issues/20188	X_refsource_misc
https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Denoland Search vendor "Denoland"		Deno Search vendor "Denoland" for product "Deno"				>= 1.35.1 < 1.36.3 Search vendor "Denoland" for product "Deno" and version " >= 1.35.1 < 1.36.3"		en		Affected