CVE-2025-24015
📋 TL;DR
This vulnerability in Deno runtime versions 1.46.0 through 2.1.6 fails to validate AES-GCM authentication tags, allowing tampered ciphertexts to go undetected. This breaks cryptographic integrity guarantees, potentially enabling data manipulation attacks. Any application using Deno's built-in crypto module for AES-GCM encryption is affected.
💻 Affected Systems
- Deno
📦 What is this software?
Deno by Deno
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate encrypted data without detection, potentially leading to data corruption, privilege escalation, or bypassing security controls that rely on cryptographic integrity.
Likely Case
Data integrity violations where encrypted data can be modified without detection, potentially affecting applications that rely on AES-GCM for secure data storage or transmission.
If Mitigated
With proper controls like additional integrity checks or network-level protections, impact is limited to potential data corruption rather than security bypass.
🎯 Exploit Status
Exploitation requires ability to modify ciphertext or use incorrect keys. The vulnerability is in the validation logic, not in breaking encryption itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.7
Vendor Advisory: https://github.com/denoland/deno/security/advisories/GHSA-2x3r-hwv5-p32x
Restart Required: Yes
Instructions:
1. Update Deno to version 2.1.7 or later using: deno upgrade --version 2.1.7
2. Restart all Deno processes and applications
3. Re-encrypt any data that was encrypted with vulnerable versions
🔧 Temporary Workarounds
Use alternative crypto library
allTemporarily use a third-party cryptographic library instead of Deno's built-in crypto module for AES-GCM operations
npm install crypto-js
yarn add crypto-js
🧯 If You Can't Patch
- Implement additional integrity checks outside of AES-GCM (e.g., HMAC verification)
- Monitor for unexpected data modifications and implement strict input validation
🔍 How to Verify
Check if Vulnerable:
Check Deno version with: deno --version. If version is between 1.46.0 and 2.1.6 inclusive, you are vulnerable.Check Version:
deno --versionVerify Fix Applied:
After updating, verify version is 2.1.7 or later with: deno --version. Test AES-GCM decryption with tampered ciphertext - it should now throw an error.📡 Detection & Monitoring
Log Indicators:
- Failed decryption attempts that previously succeeded
- Unexpected successful decryption of modified ciphertext
Network Indicators:
- Unusual patterns in encrypted data transmission
- Modified ciphertext being accepted without errors
SIEM Query:
Search for Deno process versions between 1.46.0 and 2.1.6, or monitor for absence of decryption errors in AES-GCM operations🔗 References
- https://github.com/denoland/deno/commit/0d1beed
- https://github.com/denoland/deno/commit/4f27d7cdc02e3edfb9d36275341fb8185d6e99ed
- https://github.com/denoland/deno/commit/a4003a5292bd0affefad3ecb24a8732886900f67
- https://github.com/denoland/deno/security/advisories/GHSA-2x3r-hwv5-p32x
- https://github.com/denoland/deno/security/advisories/GHSA-2x3r-hwv5-p32x
