CVE-2024-27934

Name of the Vulnerable Software and Affected Versions Deno versions 1.36.2 through 1.40.3

Description The issue arises from the use of inherently unsafe *const c void and ExternalPointer which leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. An attacker controlling the code executed inside a Deno runtime can exploit this to obtain arbitrary code execution on the host machine regardless of permissions. The vulnerability is known to be exploitable for both *const c void and ExternalPointer implementations.

Recommendations For Deno versions 1.36.2 through 1.40.2, update to version 1.40.3 to fix the issue. For Deno versions prior to 1.36.2, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of *const c void and ExternalPointer to minimize the risk of exploitation.