CVE-2025-24015

Name
CVE-2025-24015
Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removing integrity protection. Authenticated data set with set_aad is also affected, as it is incorporated into the GCM hash (ghash) but this too is not validated, rendering AAD checks ineffective. Version 2.1.7 includes a patch that addresses this issue.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/denoland/deno/commit/0d1beed
MISC https://github.com/denoland/deno/commit/4f27d7cdc02e3edfb9d36275341fb8185d6e99ed
MISC https://github.com/denoland/deno/commit/a4003a5292bd0affefad3ecb24a8732886900f67
CONFIRM https://github.com/denoland/deno/security/advisories/GHSA-2x3r-hwv5-p32x

Match rules

CPE URI Source package Min version Max version
deno >= 1.46.0 < 2.1.7

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
deno edge-community 2.0.6-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
deno edge-community 2.0.6-r2 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
deno 3.22-community 2.0.6-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable