cve/2024/CVE-2024-27934.md

### [CVE-2024-27934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27934)
![](https://img.shields.io/static/v1?label=Product&message=deno&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3E%3D%201.36.2%2C%20%3C%201.40.3%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-416%3A%20Use%20After%20Free&color=brighgreen)

### Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable for both `*const c_void` and `ExternalPointer` implementations. Version 1.40.3 fixes this issue.

### POC

#### Reference
- https://github.com/denoland/deno/security/advisories/GHSA-3j27-563v-28wf

#### Github
No PoCs found on GitHub currently.