CVE-2024-27935 in Deno
Summary
by MITRE • 03/21/2024
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/03/2025
The vulnerability described in CVE-2024-27935 represents a critical cross-session data contamination issue within the Deno JavaScript, TypeScript, and WebAssembly runtime environment. This flaw specifically impacts versions 1.35.1 through 1.36.2 of the Deno runtime, where the Node.js compatibility layer introduces a significant security risk through improper buffer management during asynchronous stream operations. The vulnerability stems from the implementation of a global buffer optimization mechanism that was intended to improve performance but inadvertently creates a pathway for data leakage between concurrent sessions. This issue affects all Deno users who leverage the Node.js compatibility layer for network communication or file stream operations, making it particularly concerning given the widespread adoption of Deno in modern web application development environments.
The technical root cause of this vulnerability lies in the stream_wrap.ts file where a global buffer BUF is reused across multiple asynchronous read operations without proper isolation between different session contexts. This design decision, while providing performance benefits through reduced memory allocations, creates a race condition scenario where data from one session's read operation can overwrite or contaminate data intended for another session. The flaw manifests when multiple asynchronous reads occur simultaneously from Node.js streams that originate from socket or file sources, causing the shared global buffer to be accessed concurrently by different execution contexts. This buffer re-use pattern violates fundamental principles of concurrent programming and creates a classic case of data corruption through shared resource contention, which aligns with CWE-362 Concurrency Issues and CWE-129 Improper Validation. The vulnerability demonstrates how performance optimizations can introduce security weaknesses when proper synchronization mechanisms are not implemented.
The operational impact of this vulnerability extends beyond simple data corruption, potentially leading to serious security implications including information disclosure, unauthorized data access, and application behavior manipulation. When multiple concurrent sessions share the same global buffer, sensitive data from one user session could be inadvertently exposed to another session, creating a potential attack vector for malicious actors seeking to exploit session isolation. This contamination could affect authentication tokens, personal data, financial information, or other confidential content processed through Deno applications using the Node.js compatibility layer. The vulnerability affects not only direct users of Deno's Node.js compatibility features but also indirectly impacts applications that depend on Node.js libraries through transitive dependencies, making the attack surface significantly broader. Organizations using Deno in production environments face potential compliance violations and security breaches if this vulnerability remains unpatched, particularly in regulated industries where data isolation is critical.
The remediation for CVE-2024-27935 requires immediate upgrade to Deno version 1.36.3 or later, which contains the necessary patch to address the global buffer re-use issue. System administrators and development teams should prioritize this update across all Deno-based applications and services, particularly those handling sensitive data or operating in multi-user environments. Organizations should conduct comprehensive testing to ensure that the patch does not introduce regressions in application functionality, while also implementing monitoring to detect any potential residual issues. The fix likely involves implementing proper buffer isolation mechanisms or eliminating the global buffer re-use pattern that caused the contamination, aligning with ATT&CK technique T1555.003 Credential Access: Taint Data and T1078 Valid Accounts. Security teams should also review their application architectures to identify any other potential shared resource vulnerabilities and implement proper concurrency controls. Additionally, developers should adopt defensive programming practices when working with asynchronous operations and shared resources, ensuring that performance optimizations do not compromise security isolation requirements. This vulnerability serves as a reminder of the importance of balancing performance gains with security considerations in modern runtime environments.