Exposure of Resource to Wrong Sphere in Deno - CVE-2024-27935

 

Exposure of Resource to Wrong Sphere in Deno - CVE-2024-27935

Published: March 5, 2024 / Updated: April 23, 2026


Vulnerability identifier: #VU127051
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-27935
CWE-ID: CWE-668
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Deno Land
Affected software:
Deno

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information and cause data corruption.

The vulnerability exists due to improper isolation of a global buffer in stream_wrap.ts in Deno's Node.js compatibility runtime when performing simultaneous asynchronous reads from Node.js streams sourced from sockets or files. A remote attacker can trigger concurrent stream reads to disclose sensitive information and cause data corruption.

The issue does not affect network streams created with the Deno.listen and Deno.connect APIs.


How to mitigate CVE-2024-27935

Install security update from vendor's website.

Sources