216.73.216.170

CVE-2025-24015

· Published 03/06/2025 23:15 · Modified 04/06/2025 20:15

Labels: CVE-2025-24015 2025-06-03CVE-2025-24015CWE-347[email protected]

Essential information

Published
03/06/2025 23:15
Modified
04/06/2025 20:15
Author
Creator
CVSS
7.7 HIGH (v3) 7.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removing integrity protection. Authenticated data set with set_aad is also affected, as it is incorporated into the GCM hash (ghash) but this too is not validated, rendering AAD checks ineffective. Version 2.1.7 includes a patch that addresses this issue.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
deno / deno cpe:2.3:a:deno:deno:1.46.0-2.1.6:*:*:*:*:*:*:*
deno / deno cpe:2.3:a:deno:deno:2.1.7:*:*:*:*:*:*:*

References