GHSA-2x3r-hwv5-p32x

Опубликовано: 04 июн. 2025

Источник: github

Github: Прошло ревью

CVSS4: 7.7

Описание

Deno's AES GCM authentication tags are not verified

Summary

This affects AES-256-GCM and AES-128-GCM in Deno, introduced by commit 0d1beed. Specifically, the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js.

Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removing integrity protection. Authenticated data set with set_aad is also affected, as it is incorporated into the GCM hash (ghash) but this too is not validated, rendering AAD checks ineffective.

PoC

import { Buffer } from "node:buffer"; import { createCipheriv, createDecipheriv, randomBytes, scrypt, } from "node:crypto"; type Encrypted = { salt: string; iv: string; enc: string; authTag: string; }; const deriveKey = (key: string, salt: Buffer) => new Promise<Buffer>((res, rej) => scrypt(key, salt, 32, (err, k) => { if (err) rej(err); else res(k); }) ); async function encrypt(text: string, key: string): Promise<Encrypted> { const salt = randomBytes(32); const k = await deriveKey(key, salt); const iv = randomBytes(16); const enc = createCipheriv("aes-256-gcm", k, iv); const ciphertext = enc.update(text, "binary", "binary") + enc.final("binary"); return { salt: salt.toString("binary"), iv: iv.toString("binary"), enc: ciphertext, authTag: enc.getAuthTag().toString("binary"), }; } async function decrypt(enc: Encrypted, key: string) { const k = await deriveKey(key, Buffer.from(enc.salt, "binary")); const dec = createDecipheriv("aes-256-gcm", k, Buffer.from(enc.iv, "binary")); const out = dec.update(enc.enc, "binary", "binary"); dec.setAuthTag(Buffer.from(enc.authTag, "binary")); return out + dec.final("binary"); } const test = await encrypt("abcdefghi", "key"); test.enc = ""; console.log(await decrypt(test, "")); // no error

Impact

While discovered through experimentation, authentication failures that should raise errors may be silently ignored.

Ссылки

Пакеты

Наименование

deno

rust

Затронутые версииВерсия исправления

>= 1.46.0, < 2.1.7

2.1.7

Наименование

deno_node

rust

Затронутые версииВерсия исправления

>= 0.102.0, < 0.125.0

0.125.0

EPSS

Процентиль: 16%

0.00051

Низкий

7.7 High

CVSS4

CVE ID

CVE-2025-24015

Дефекты

CWE-347

Связанные уязвимости

CVE-2025-24015

CVSS3: 5.3

nvd

8 месяцев назад

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removing integrity protection. Authenticated data set with set_aad is also affected, as it is incorporated into the GCM hash (ghash) but this too is not validated, rendering AAD checks ineffective. Version 2.1.7 includes a patch that addresses this issue.

EPSS

Процентиль: 16%

0.00051

Низкий

7.7 High

CVSS4

CVE ID

CVE-2025-24015

Дефекты

CWE-347