CVE-2021-32619 CRITICAL

CVE-2021-32619: Static imports inside dynamically imported modules do not adhere to permission checks

Vendor Denoland
Product deno
Weakness CWE-285
Published May 28, 2021
Last update August 3, 2024

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. The vulnerability has been patched in Deno release 1.10.2.

Key dates

02Disclosure timeline

May 28, 2021 CVE published
August 3, 2024 Record updated