CVE-2024-27932

Name of the Vulnerable Software and Affected Versions Deno versions 1.8.0 through 1.40.3

Description Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for a specific domain may be sent to a different domain. Anyone who uses DENO AUTH TOKENS and imports potentially untrusted code is affected.

Recommendations For Deno versions 1.8.0 through 1.40.3, update to version 1.40.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of DENO AUTH TOKENS with potentially untrusted code until a patch is applied. Restrict access to sensitive domains to minimize the risk of exploitation.