7.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-24015

CVE-2025-24015: Deno's AES GCM authentication tags are not verified

Summary

This affects AES-256-GCM and AES-128-GCM in Deno, introduced by commit 0d1beed. Specifically, the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js.

Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removing integrity protection. Authenticated data set with set_aad is also affected, as it is incorporated into the GCM hash (ghash) but this too is not validated, rendering AAD checks ineffective.

PoC

import { Buffer } from "node:buffer";
import {
  createCipheriv,
  createDecipheriv,
  randomBytes,
  scrypt,
} from "node:crypto";

type Encrypted = {
  salt: string;
  iv: string;
  enc: string;
  authTag: string;
};

const deriveKey = (key: string, salt: Buffer) =>
  new Promise<Buffer>((res, rej) =>
    scrypt(key, salt, 32, (err, k) => {
      if (err) rej(err);
      else res(k);
    })
  );

async function encrypt(text: string, key: string): Promise<Encrypted> {
  const salt = randomBytes(32);
  const k = await deriveKey(key, salt);

  const iv = randomBytes(16);
  const enc = createCipheriv("aes-256-gcm", k, iv);
  const ciphertext = enc.update(text, "binary", "binary") + enc.final("binary");

  return {
    salt: salt.toString("binary"),
    iv: iv.toString("binary"),
    enc: ciphertext,
    authTag: enc.getAuthTag().toString("binary"),
  };
}

async function decrypt(enc: Encrypted, key: string) {
  const k = await deriveKey(key, Buffer.from(enc.salt, "binary"));
  const dec = createDecipheriv("aes-256-gcm", k, Buffer.from(enc.iv, "binary"));

  const out = dec.update(enc.enc, "binary", "binary");
  dec.setAuthTag(Buffer.from(enc.authTag, "binary"));
  return out + dec.final("binary");
}

const test = await encrypt("abcdefghi", "key");
test.enc = "";
console.log(await decrypt(test, "")); // no error

Impact

While discovered through experimentation, authentication failures that should raise errors may be silently ignored.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-24015

CVE-2025-24015:

7.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
deno	rust	>= 1.46.0, < 2.1.7	2.1.7
deno_node	rust	>= 0.102.0, < 0.125.0	0.125.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in Deno's AES-GCM implementation where the authentication tag is not properly validated after commit 0d1beed2e3633d71d5e288e0382b85be361ec13d. This commit refactored cryptographic operations, and in the process, the GCM tag validation became ineffective.

The core of the issue resides in the Rust function deno_node::ops::crypto::cipher::Decipher::final (in ext/node/ops/crypto/cipher.rs). While this function contains code that appears to perform the tag check (let tag = decipher.finish(); if tag.as_slice() == auth_tag), the advisory and PoC confirm that this check does not correctly reject tampered ciphertexts for AES-GCM modes. This means that even if the ciphertext is altered, the decryption process might complete without an error, violating the integrity guarantees of AES-GCM.

The JavaScript function Decipheriv.prototype.final (in ext/node/polyfills/internal/crypto/cipher.ts) serves as the entry point for this operation from TypeScript/JavaScript. It calls the native Rust implementation, and thus exposes the vulnerability. When an application uses crypto.createDecipheriv with an AES-GCM algorithm and calls final(), it would expect an error if the ciphertext or authentication tag is invalid. Due to this vulnerability, such an error is not reliably thrown.

The exploit scenario involves an attacker providing tampered ciphertext. A vulnerable application using Deno's AES-GCM decryption would fail to detect this tampering, potentially leading to processing of inauthentic data. The fix for this vulnerability, indicated by later commits (e.g., 4f27d7cdc02e3edfb9d36275341fb8185d6e99ed), would have rectified the validation logic within Decipher::final or its dependencies to ensure authentication tags are correctly checked.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-24015: Deno's AES GCM authentication tags are not verified

Summary

PoC

Impact

CVE-2025-24015:

7.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-24015: Deno's AES GCM authentication tags are not verified

Summary

PoC

Impact

Technical Details

Basic Information

Basic Information

7.7

7.7

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI