JLSEC-2026-103

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-103.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-103.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2026-103

Upstream

CVE-2024-27931

EUVD-2024-0943

GHSA-hrqr-jv8w-v9jh

Published

2026-04-14T13:10:46.494Z

Modified

2026-04-14T13:31:35.533261615Z

Severity

5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS Calculator

Summary

Insufficient permission checking in `Deno.makeTemp*` APIs

Details

Impact

Insufficient validation of parameters in Deno.makeTemp* APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems.

A user may provide a prefix or suffix to a Deno.makeTemp* API containing path traversal characters. The permission check would prompt for the base directory of the API, but the final file that was created would be outside of this directory:

$ mkdir /tmp/good
$ mkdir /tmp/bad
$ deno repl --allow-write=/tmp/good
> Deno.makeTempFileSync({ dir: "/tmp/bad" })
┌ ⚠️  Deno requests write access to "/tmp/bad".
├ Requested by `Deno.makeTempFile()` API.
├ Run again with --allow-write to bypass this prompt.
└ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all write permissions) > n
❌ Denied write access to "/tmp/bad".
Uncaught PermissionDenied: Requires write access to "/tmp/bad", run again with the --allow-write flag
    at Object.makeTempFileSync (ext:deno_fs/30_fs.js:176:10)
    at <anonymous>:1:27
> Deno.makeTempFileSync({ dir: "/tmp/good", prefix: "../bad/" })
"/tmp/good/../bad/a9432ef5"
$ ls -l /tmp/bad/a9432ef5
-rw-------@ 1 user  group  0 Mar  4 09:20 /tmp/bad/a9432ef5

Patches

This is fixed in Deno 1.41.1.

Database specific

{
    "sources": [
        {
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-27931",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27931",
            "modified": "2025-01-03T19:29:35.223Z",
            "id": "CVE-2024-27931",
            "imported": "2026-04-14T12:58:55.018Z",
            "published": "2024-03-05T17:15:07.310Z"
        },
        {
            "url": "https://api.github.com/advisories/GHSA-hrqr-jv8w-v9jh",
            "html_url": "https://github.com/advisories/GHSA-hrqr-jv8w-v9jh",
            "modified": "2024-03-05T20:30:05Z",
            "id": "GHSA-hrqr-jv8w-v9jh",
            "imported": "2026-04-14T12:59:06.590Z",
            "published": "2024-03-05T16:19:44Z"
        },
        {
            "url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2024-0943",
            "html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-0943",
            "modified": "2024-08-02T00:41:55Z",
            "id": "EUVD-2024-0943",
            "imported": "2026-04-14T12:58:57.176Z",
            "published": "2024-03-05T16:43:11Z"
        }
    ],
    "license": "CC-BY-4.0"
}

References

Credits

- ericcornelissen - REPORTER
- - https://github.com/ericcornelissen
- mmastrac - REMEDIATION_DEVELOPER
- - https://github.com/mmastrac

Affected packages

Julia / Deno_jll

Package

Name: Deno_jll
Purl: pkg:julia/Deno_jll?uuid=04572ae6-984a-583e-9378-9577a1c2574d

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.0+0

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-103.json"