CVE-2024-27934

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe *const c_void and ExternalPointer leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe *const c_void and ExternalPointer leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable for both *const c_void and ExternalPointer implementations. Version 1.40.3 fixes this issue.

Published: Mar 21, 2024
Updated: May 4, 2025
CVE: CVE-2024-27934
GHSA: GHSA-3j27-563v-28wf
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWEs:

CWE-416

Affected Software
References

Software	From	Fixed in
deno	1.36.2	1.40.3
deno / deno	1.36.2	1.40.3

https://github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wf

Vulnerability Database

CVE-2024-27934

Deep Security Visibility Without the Complexity