CVE-2024-27933 | Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass

Exp

Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together. Use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs. Version 1.39.1 fixes the bug.

Published: 2024-03-21 Last update: 2025-01-03 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2024-27933 is rated Exploit Available (50/100): CVSS High severity, with low exploitation likelihood (EPSS 0.02%). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2024-27933

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2024-27933

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-11-21 0.14% 0.02% -0.12%
2 2025-11-18 0.02% 0.14% +0.12%
3 2025-04-15 0.02%

Full EPSS history (7 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2024-27933

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
8.2 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.5 6.0 [email protected]
8.8 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.0 6.0 [email protected]

Weakness enumeration for CVE-2024-27933

GitHub Security Advisory for CVE-2024-27933

GHSA-6q4w-9x56-rmwq · Severity: high · Ecosystem: rust — Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass

Affected software / configurations for CVE-2024-27933

Vendor Product Version Raw CPE
deno deno 1.39.0 cpe:2.3:a:deno:deno:1.39.0:*:*:*:*:*:*:*

References for CVE-2024-27933

URL Tags
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L214 Product
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L220 Product
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L225 Product
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L241 Product
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L256 Product
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L265 Product
https://github.com/denoland/deno/blob/v1.39.0/runtime/permissions/prompter.rs#L99 Product
https://github.com/denoland/deno/commit/55fac9f5ead6d30996400e8597c969b675c5a22b Patch
https://github.com/denoland/deno/commit/5a91a065b882215dde209baf626247e54c21a392 Product
https://github.com/denoland/deno/security/advisories/GHSA-6q4w-9x56-rmwq Exploit Vendor Advisory
cvelogic Threat Intelligence