CVE-2024-27935 – This vulnerability in Deno's Node.js compatibil... (How to Fix)

📋 TL;DR

This vulnerability in Deno's Node.js compatibility layer allows cross-session data contamination during simultaneous asynchronous reads from Node.js streams. Data intended for one session can be received by another session, potentially causing data corruption and unexpected behavior. All Deno users utilizing the Node.js compatibility layer for network communication or file streams are affected.

💻 Affected Systems

Products:

Deno

Versions: 1.35.1 through 1.36.2

Operating Systems: All platforms running Deno

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users of Deno's Node.js compatibility layer (--compat flag or deno.json configuration). Pure Deno APIs are not affected.

📦 What is this software?

Deno by Deno

View all CVEs affecting Deno →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive data leakage between sessions, authentication bypass, privilege escalation, or complete system compromise through data corruption.

🟠

Likely Case

Data corruption leading to application crashes, incorrect data processing, or exposure of non-sensitive session data.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but potential for data integrity issues remains.

🌐 Internet-Facing: HIGH - Any internet-facing Deno application using Node.js compatibility layer is vulnerable to data contamination attacks.

🏢 Internal Only: MEDIUM - Internal applications could experience data corruption or leakage between internal sessions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires simultaneous asynchronous reads from Node.js streams, which is a common pattern in network applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.36.3

Vendor Advisory: https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp

Restart Required: Yes

Instructions:

1. Update Deno using: deno upgrade --version 1.36.3
2. Restart all Deno processes
3. Verify the update with: deno --version

🔧 Temporary Workarounds

Disable Node.js Compatibility Layer

all

Avoid using Deno's Node.js compatibility features if not required

Remove --compat flag from startup commands
Remove "nodeModulesDir": true from deno.json

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable Deno instances
Add monitoring for unusual data patterns or corruption in application logs

🔍 How to Verify

Check if Vulnerable:

Check if Deno version is between 1.35.1 and 1.36.2 and Node.js compatibility is enabled

Check Version:

deno --version

Verify Fix Applied:

Confirm Deno version is 1.36.3 or higher and test Node.js stream functionality

📡 Detection & Monitoring

Log Indicators:

Unexpected data in application logs
Application crashes during stream operations
Data corruption errors

Network Indicators:

Unusual data patterns in network traffic
Cross-session data mixing

SIEM Query:

source="deno" AND (error OR crash OR corruption) AND version<1.36.3

📊 Metadata

CVE ID: CVE-2024-27935

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

CWE: CWE-488

Published: March 21, 2024

Last Updated: January 3, 2025

🔗 References

https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6 Patch
https://github.com/denoland/deno/issues/20188 Exploit,Issue Tracking
https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp Vendor Advisory
https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6 Patch
https://github.com/denoland/deno/issues/20188 Exploit,Issue Tracking
https://github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27935, you might also want to check these: