CVE & CISA-KEV Catalog

CVE-2024-27936

HIGH
8.8
CVSS v3
NVD

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41.0 of the deno library contains a patch for the issue.

How to fix

Remediation Available
DenoWindows application
Affected:1.32.1 1.41.0Fixed in:1.41.0Deno Land Inc.

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploit Intelligence

0.94%probability of exploitation in 30 days
57thpercentile

Moderate risk: more likely to be exploited than 57% of all known CVEs.

References

Embed a live status badge for CVE-2024-27936
CVE-2024-27936 severity badge

Markdown

[![CVE-2024-27936](https://tridentstack.com/cve/badge/CVE-2024-27936.svg)](https://tridentstack.com/cve/CVE-2024-27936)

HTML

<a href="https://tridentstack.com/cve/CVE-2024-27936"><img src="https://tridentstack.com/cve/badge/CVE-2024-27936.svg" alt="CVE-2024-27936"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-01-03.