CVE-2024-27935: Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination

March 5, 2024 (updated March 21, 2024)

A vulnerability in Deno’s Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior.

References

github.com/advisories/GHSA-wrqv-pf6j-mqjp
github.com/denoland/deno
github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6
github.com/denoland/deno/issues/20188
github.com/denoland/deno/security/advisories/GHSA-wrqv-pf6j-mqjp
nvd.nist.gov/vuln/detail/CVE-2024-27935

Code Behaviors & Features

Detect and mitigate CVE-2024-27935 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →