Is CVE-2024-27933 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 2%.

What products does CVE-2024-27933 affect?

Tracked products affected include Deno. Check the version you run to see whether it is affected.

How do I fix CVE-2024-27933?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2024-27933

Q: What is CVE-2024-27933?

CVE-2024-27933 is a high-severity software vulnerability (Incorrect authorization) with a CVSS score of 8.2. Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different

HIGH severity · CVSS 8.2 · Incorrect authorization

8.2CVSS HIGH

Summary

Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together. Use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs. Version 1.39.1 fixes the bug.

Impact & exploitability

Attack vectorLocal

Attack complexityLow

Privileges requiredHigh

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)2%

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected products we track (1)

Deno

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b ↗

CVE-2024-27933

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information