CVE-2021-32619 – This vulnerability allows Deno modules imported... (How to Fix)

Q: What is the severity of CVE-2021-32619?

CVE-2021-32619 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows Deno modules imported dynamically via import() or new Worker to bypass network and file system permission checks when statically importing other modules. It affects Deno versions 1.5.0 through 1.10.1, potentially enabling unauthorized access to resources.

📋 TL;DR

This vulnerability allows Deno modules imported dynamically via import() or new Worker to bypass network and file system permission checks when statically importing other modules. It affects Deno versions 1.5.0 through 1.10.1, potentially enabling unauthorized access to resources.

💻 Affected Systems

Products:

Deno

Versions: 1.5.0 to 1.10.1

Operating Systems: All platforms where Deno runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects dynamic imports (import() or new Worker) that statically import other modules.

📦 What is this software?

Deno by Deno

View all CVEs affecting Deno →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could execute arbitrary code, access sensitive files, or make unauthorized network requests by exploiting the permission bypass.

🟠

Likely Case

Malicious modules could access local files or network resources without proper authorization, leading to data exfiltration or privilege escalation.

🟢

If Mitigated

With proper sandboxing and minimal permissions, impact is limited to the specific resources accessible within the sandbox.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the ability to execute dynamic imports in a vulnerable Deno environment.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.2

Vendor Advisory: https://github.com/denoland/deno/security/advisories/GHSA-xpwj-7v8q-mcgj

Restart Required: Yes

Instructions:

1. Update Deno to version 1.10.2 or later using your package manager. 2. Restart any running Deno applications. 3. Verify the update with 'deno --version'.

🔧 Temporary Workarounds

Restrict dynamic imports

all

Disable or restrict the use of dynamic imports (import() and new Worker) in your Deno applications.

Run with minimal permissions

all

Use Deno's permission flags to limit network and file system access.

deno run --allow-net=example.com --allow-read=/safe/path app.ts

🧯 If You Can't Patch

Isolate Deno applications in containers or VMs to limit potential damage.
Implement strict input validation and sandboxing for user-provided modules.

🔍 How to Verify

Check if Vulnerable:

Run 'deno --version' and check if the version is between 1.5.0 and 1.10.1 inclusive.

Check Version:

deno --version

Verify Fix Applied:

After updating, run 'deno --version' to confirm version is 1.10.2 or higher.

📡 Detection & Monitoring

Log Indicators:

Unexpected file system access or network connections from Deno processes
Dynamic import attempts in logs

Network Indicators:

Unusual outbound connections from Deno applications
Requests to unexpected domains or IPs

SIEM Query:

process.name:deno AND (event.action:file_read OR event.action:network_connection)

📊 Metadata

CVE ID: CVE-2021-32619

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-285

Published: May 28, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/denoland/deno/security/advisories/GHSA-xpwj-7v8q-mcgj Third Party Advisory
https://github.com/denoland/deno/security/advisories/GHSA-xpwj-7v8q-mcgj Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32619, you might also want to check these: