CVE-2024-37150 – Deno 1.44.0 incorrectly sends .npmrc authentica... (How to Fix)

📋 TL;DR

Deno 1.44.0 incorrectly sends .npmrc authentication credentials to tarball URLs on different domains when a private registry provides cross-domain tarball links. This exposes private registry credentials to third-party domains. All users relying on .npmrc authentication with private registries that serve tarballs from different domains are affected.

💻 Affected Systems

Products:

Deno

Versions: 1.44.0 only

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users with .npmrc files containing private registry credentials where the registry serves tarballs from different domains.

📦 What is this software?

Deno by Deno

View all CVEs affecting Deno →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Private registry credentials are leaked to malicious third-party domains, allowing attackers to impersonate legitimate users, access private packages, and potentially compromise the entire registry ecosystem.

🟠

Likely Case

Accidental credential exposure to legitimate but unintended third-party domains during normal package installation operations, creating credential leakage without malicious intent.

🟢

If Mitigated

No credential leakage occurs as proper domain validation prevents sending credentials to unauthorized domains.

🌐 Internet-Facing: MEDIUM - Requires specific private registry configuration with cross-domain tarball URLs and user interaction with npm packages.

🏢 Internal Only: LOW - Internal-only registries with same-domain tarball URLs are not affected by this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific private registry configuration and user interaction with npm packages. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.44.1

Vendor Advisory: https://github.com/denoland/deno/security/advisories/GHSA-rfc6-h225-3vxv

Restart Required: No

Instructions:

1. Run: deno upgrade --version 1.44.1
2. Verify installation with: deno --version
3. Rotate private registry credentials if your registry serves tarballs from different domains.

🔧 Temporary Workarounds

Pin to secure version

all

Manually install Deno 1.44.1 or downgrade to 1.43.x

curl -fsSL https://deno.land/x/install/install.sh | sh -s v1.44.1

Disable .npmrc usage

all

Temporarily avoid using .npmrc authentication with private registries

Remove or rename .npmrc file

🧯 If You Can't Patch

Rotate all private registry credentials immediately
Configure private registries to serve tarballs from same domain only

🔍 How to Verify

Check if Vulnerable:

Check Deno version: deno --version. If output shows 1.44.0, system is vulnerable.

Check Version:

deno --version

Verify Fix Applied:

Run: deno --version. Verify output shows 1.44.1 or later.

📡 Detection & Monitoring

Log Indicators:

Unexpected authentication attempts to third-party domains during package installation
Credential usage patterns outside expected registry domains

Network Indicators:

HTTP requests with authentication headers to domains different from configured registry
Unexpected outbound connections during npm package operations

SIEM Query:

source="deno" AND (url.domain!=registry.domain AND auth_header EXISTS)

📊 Metadata

CVE ID: CVE-2024-37150

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

CWE: CWE-200

Published: June 6, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37150, you might also want to check these: