CVE-2021-42139 – CVE-2021-42139 is a critical code injection vul... (How to Fix)

Q: What is the severity of CVE-2021-42139?

CVE-2021-42139 has a CVSS score of 9.8 (CRITICAL). CVE-2021-42139 is a critical code injection vulnerability in Deno Standard Modules that allows remote code execution when processing untrusted YAML files. Attackers can execute arbitrary code on affected systems by crafting malicious YAML content. This affects any application using vulnerable Deno Standard Modules versions to parse YAML files from untrusted sources.

📋 TL;DR

CVE-2021-42139 is a critical code injection vulnerability in Deno Standard Modules that allows remote code execution when processing untrusted YAML files. Attackers can execute arbitrary code on affected systems by crafting malicious YAML content. This affects any application using vulnerable Deno Standard Modules versions to parse YAML files from untrusted sources.

💻 Affected Systems

Products:

Deno Standard Modules

Versions: All versions before 0.107.0

Operating Systems: All platforms running Deno

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the vulnerable YAML parsing functionality from Deno Standard Modules. Applications not using YAML parsing or using alternative YAML libraries are not affected.

📦 What is this software?

Deno Standard Modules by Deno

View all CVEs affecting Deno Standard Modules →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, potentially reduced to denial of service.

🌐 Internet-Facing: HIGH - Applications accepting YAML input from external sources are directly exploitable over the network.

🏢 Internal Only: MEDIUM - Internal applications processing YAML from untrusted internal sources remain vulnerable but with reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the application to parse attacker-controlled YAML content. The vulnerability is well-documented with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.107.0

Vendor Advisory: https://github.com/denoland/deno_std/releases/tag/0.107.0

Restart Required: No

Instructions:

1. Update Deno Standard Modules to version 0.107.0 or later. 2. Update package dependencies: 'deno cache --reload' or equivalent. 3. Rebuild and redeploy affected applications.

🔧 Temporary Workarounds

Disable YAML parsing

all

Remove or disable YAML parsing functionality in affected applications

Remove 'import { parse } from "https://deno.land/std@<0.107.0/encoding/yaml.ts";' from code

Use alternative YAML library

all

Replace vulnerable YAML parser with a secure alternative like js-yaml

npm install js-yaml
import yaml from 'js-yaml';

🧯 If You Can't Patch

Implement strict input validation and sanitization for all YAML input
Run Deno applications with minimal permissions using --allow-* flags to limit damage

🔍 How to Verify

Check if Vulnerable:

Check if your application imports YAML parsing from Deno Standard Modules versions before 0.107.0

Check Version:

deno --version | grep std

Verify Fix Applied:

Verify that Deno Standard Modules version is 0.107.0 or later and no vulnerable imports remain

📡 Detection & Monitoring

Log Indicators:

Unexpected process execution from YAML parsing context
Errors in YAML parsing with suspicious content
Unusual network connections from Deno processes

Network Indicators:

Outbound connections from applications that should only parse YAML
Traffic to unexpected destinations following YAML processing

SIEM Query:

process.name: "deno" AND process.cmdline: *yaml* AND (process.cmdline: *eval* OR process.cmdline: *exec*)

📊 Metadata

CVE ID: CVE-2021-42139

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: October 11, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/denoland/deno_std/pull/1275 Exploit,Third Party Advisory
https://github.com/denoland/deno_std/releases/tag/0.107.0 Release Notes,Third Party Advisory
https://vuln.ryotak.me/advisories/58 Third Party Advisory
https://github.com/denoland/deno_std/pull/1275 Exploit,Third Party Advisory
https://github.com/denoland/deno_std/releases/tag/0.107.0 Release Notes,Third Party Advisory
https://vuln.ryotak.me/advisories/58 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42139, you might also want to check these: