Path traversal in Deno - CVE-2024-27931

 

Path traversal in Deno - CVE-2024-27931

Published: March 5, 2024 / Updated: April 23, 2026


Vulnerability identifier: #VU127047
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-27931
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Deno Land
Affected software:
Deno

Detailed vulnerability description

The vulnerability allows a remote attacker to overwrite important files on the system.

The vulnerability exists due to improper input validation in Deno.makeTemp* APIs when processing user-supplied prefix or suffix parameters. A remote attacker can supply path traversal characters in a prefix or suffix value to overwrite important files on the system.

The permission check applies to the base directory, but the created file may be placed outside that directory.


How to mitigate CVE-2024-27931

Install security update from vendor's website.

Sources