PT-2024-27335 · Deno · Deno

Bartlomieju

Published

2024-06-06

Updated

2024-12-17

CVE-2024-37150

CVSS v3.1

7.6

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Name of the Vulnerable Software and Affected Versions Deno version 1.44.0

Description An issue in .npmrc support was discovered where Deno would send .npmrc credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this issue if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage.

Recommendations To resolve the issue, upgrade to Deno 1.44.1. If your private registry ever serves tarballs at a different domain, rotate your registry credentials. As a temporary workaround, consider restricting access to the .npmrc file to minimize the risk of exploitation.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-706CWE-200

Related Identifiers

CVE-2024-37150

GHSA-RFC6-H225-3VXV

Affected Products

Deno

PT-2024-27335 · Deno · Deno

CVE-2024-37150

Weakness Enumeration

Related Identifiers

Affected Products

References · 16