Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🦀 crates.io

GHSA-xpwj-7v8q-mcgj

CRITICAL

Deno's static imports inside dynamically imported modules do not adhere to permission checks

Also known asCVE-2021-32619
Published
Sep 23, 2021
Updated
Mar 13, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
1.1%probability of exploitation in next 30 days
Lower Risk62th percentile+0.75%
0.00%0.54%1.08%1.61%0.4%1.1%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🦀deno

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.

Description

Impact

Modules that are dynamically imported through import() or new Worker might have been able to bypass network and file system permission checks when statically importing other modules. In Deno 1.5.x and 1.6.x only programs dynamically importing (especially transitively) untrusted code are affected. In Deno 1.7.x all programs importing (especially transitively) untrusted code are affected.

In effect an attacker in control of a (possibly remote) module in a programs module graph has been able to, irrespective of permissions:

  1. initiate GET requests to arbitrary URLs on the internet (including LAN) and possibly read (parts of) the contents of these resources.
  2. check for existence of arbitrary paths on the file system, and possibly read (parts of) the contents of these files.

In Deno 1.5.x (October 27th, 2020) and Deno 1.6.x (December 8th, 2020) the attacker module had to have been granted permissions to load dynamically through the network / fs read permission. Since Deno 1.7.x (January 19th, 2021) this vulnerability was able to be exploited in a fully sandboxed isolate (without any permissions). This vulnerability was not present in releases prior to 1.5.0.

Arbitrary non-GET requests, control over request headers, or file system writes are not possible through this vulnerability. Users of the deno_core, deno_runtime, or other deno_* crates are not affected. This is a Deno CLI only vulnerability.

We are relatively confident this was not abused in the wild, as by default Deno prints out a green "Download" message when remote imports are downloaded, and this would have caused suspicion if it occurred in the middle of a programs execution. This message can be silenced with the --quiet flag.

Patches

The vulnerability has been patched in Deno release 1.10.2. You can upgrade to the latest Deno version by running the deno upgrade command. The release is available through all official download channels.

Workarounds

There is no workaround for this issue.

For more information

If you have any questions or comments about this advisory:

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🦀crates.iodeno1.5.0&&< 1.10.21.10.2

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for deno. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update deno to 1.10.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-xpwj-7v8q-mcgj is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-xpwj-7v8q-mcgj is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-xpwj-7v8q-mcgj. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact Modules that are dynamically imported through `import()` or `new Worker` might have been able to bypass network and file system permission checks when statically importing other modules. In Deno 1.5.x and 1.6.x only programs dynamically importing (especially transitively) untrusted code are affected. In Deno 1.7.x all programs importing (especially transitively) untrusted code are affected. In effect an attacker in control of a (possibly remote) module in a programs module graph has been able to, **irrespective of permissions**: 1. initiate GET requests to arbitrary URLs on the in
O3 Security · Impact-Aware SCA

Is GHSA-xpwj-7v8q-mcgj in your dependencies?

O3 detects GHSA-xpwj-7v8q-mcgj across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works