Summary
Workarounds
There is no workaround for this issue.
For more information
If you have any questions or comments about this advisory:
- Open an issue on the issue tracker
- Discuss on Discord
Impact
Modules that are dynamically imported through import() or new Worker might have been able to bypass network and file system permission checks when statically importing other modules. In Deno 1.5.x and 1.6.x only programs dynamically importing (especially transitively) untrusted code are affected. In Deno 1.7.x all programs importing (especially transitively) untrusted code are affected.
In effect an attacker in control of a (possibly remote) module in a programs module graph has been able to, irrespective of permissions:
- initiate GET requests to arbitrary URLs on the internet (including LAN) and possibly read (parts of) the contents of these resources.
- check for existence of arbitrary paths on the file system, and possibly read (parts of) the contents of these files.
In Deno 1.5.x (October 27th, 2020) and Deno 1.6.x (December 8th, 2020) the attacker module had to have been granted permissions to load dynamically through the network / fs read permission. Since Deno 1.7.x (January 19th, 2021) this vulnerability was able to be exploited in a fully sandboxed isolate (without any permissions). This vulnerability was not present in releases prior to 1.5.0.
Arbitrary non-GET requests, control over request headers, or file system writes are not possible through this vulnerability. Users of the deno_core, deno_runtime, or other deno_* crates are not affected. This is a Deno CLI only vulnerability.
We are relatively confident this was not abused in the wild, as by default Deno prints out a green "Download" message when remote imports are downloaded, and this would have caused suspicion if it occurred in the middle of a programs execution. This message can be silenced with the --quiet flag.
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
CVE-2021-32619 has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.10.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The vulnerability has been patched in Deno release 1.10.2. You can upgrade to the latest Deno version by running the deno upgrade command. The release is available through all official download channels.
Frequently Asked Questions
- What is CVE-2021-32619? CVE-2021-32619 is a critical-severity incorrect authorization vulnerability in deno (rust), affecting versions >= 1.5.0, <= 1.10.1. It is fixed in 1.10.2. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
- How severe is CVE-2021-32619? CVE-2021-32619 has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of deno are affected by CVE-2021-32619? deno (rust) versions >= 1.5.0, <= 1.10.1 is affected.
- Is there a fix for CVE-2021-32619? Yes. CVE-2021-32619 is fixed in 1.10.2. Upgrade to this version or later.
- Is CVE-2021-32619 exploitable, and should I be worried? Whether CVE-2021-32619 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2021-32619 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2021-32619? Upgrade
denoto 1.10.2 or later.