CVE-2024-27935

Name of the Vulnerable Software and Affected Versions Deno versions 1.35.1 through 1.36.2

Description A vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. This issue arises from the re-use of a global buffer (BUF) in stream wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. The vulnerability can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly.

Recommendations For Deno versions 1.35.1 through 1.36.2, update to version 1.36.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of Node.js streams sourced from sockets or files until a patch is applied. Restrict access to the stream wrap.ts module to minimize the risk of exploitation. Avoid using the net.Stream API connected to remote servers such as databases or key/value stores until the issue is resolved.