Synced 16 Jun 2026 15:24 UTC Account
← All products

CVE-2024-27932

MEDIUM severity · CVSS 4.6 · Improper input validation
4.6CVSS MEDIUM

Summary

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue

Impact & exploitability

Attack vectorNetwork
Attack complexityLow
Privileges requiredLow
User interactionRequired
Confidentiality impactLow
Integrity impactLow
Availability impactNone
Exploit probability (EPSS)1%

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Affected products we track (1)

Deno

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Official patch: https://github.com/denoland/deno/commit/de23e3b60b066481cc390f459497d5bef42a899b ↗

Additional information