-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability CVE-2024-21486 in Deno (prior to version 2.0.0) stemmed from static imports being exempt from network permission checks. This allowed an attacker, under certain conditions (notably with --allow-read and --allow-write permissions), to craft a scenario where sensitive information could be exfiltrated. The PoC involves reading a sensitive file (e.g., /etc/passwd), encoding its content into a URL within a static import statement, and writing this modified script back to disk. When this script is subsequently run, the static import (which bypasses network permission checks) would make a network request to an attacker-controlled server, leaking the sensitive data as part of the URL.
The fix, introduced in Deno 2.0.0, implements a new --allow-import flag. This flag restricts which remote hosts static imports are allowed from. By default, it allows a set of common CDNs and Deno-related domains. This new permission check is applied during the module loading phase for static imports.
No single function was 'vulnerable' in the traditional sense of containing a bug like a buffer overflow. Instead, the vulnerability was a design flaw in the permission model. The functions modified in the patch are primarily involved in parsing command-line arguments, managing permission states, and performing checks during module loading. Key areas of change include:
cli/args/flags.rs, cli/args/mod.rs): Code was added to define, parse, and apply the new --allow-import flag. This includes determining a default allowlist and inferring allowed hosts from other CLI arguments (like the main module URL).runtime/permissions/lib.rs): The core permission logic was extended to include ImportDescriptor to specifically handle permissions for static imports. The PermissionsContainer::check_specifier() method was updated to differentiate between static and dynamic imports and apply the new import permission check for static remote imports.cli/file_fetcher.rs, cli/module_loader.rs): These components were updated to propagate and use the refined permission model, ensuring that check_specifier() is called with the correct context (static vs. dynamic) to trigger the --allow-import check when necessary.Therefore, while functions like Deno.readTextFile and Deno.writeTextFile are used in the PoC, they are not the source of the vulnerability but rather tools to set up the exploit. The actual vulnerability was the absence of a permission check for static imports, which has now been addressed by adding this check, primarily within the PermissionsContainer::check_specifier logic and the surrounding infrastructure that feeds into it.
RustRust| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| deno | rust | < 2.0.0 | 2.0.0 |
Ongoing coverage of React2Shell