Information disclosure in Deno - CVE-2024-21486
Published: April 23, 2026
Vulnerability identifier: #VU127060
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-21486
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Deno Land
Affected software:
Deno
Deno
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in static imports when directly or indirectly executing third-party code with deno run. A remote attacker can place a crafted static import in attacker-controlled code to disclose sensitive information.
When the program is executed with read and write permissions, sensitive local file contents can be exfiltrated over the network even though no network permission was granted.
How to mitigate CVE-2024-21486
Install security update from vendor's website.