Lucene search
K

11 matches found

Github Security Blog
Github Security Blog
added 2026/06/16 7:11 p.m.8 views

Deno: Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)

Summary Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different...

8.4CVSS5.8AI score0.00144EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2025/10/08 12:49 a.m.8 views

CVE-2025-61786 Deno's --deny-read check does not prevent permission bypass

Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, Deno.FsFile.prototype.stat and Deno.FsFile.prototype.statSync are not limited by the permission model check --deny-read=./. It's possible to retrieve stats from files that the user do not have explic...

3.3CVSS0.00182EPSS
Exploits1References5
CVE
CVE
added 2025/10/08 12:49 a.m.17 views

CVE-2025-61786

CVE-2025-61786 affects the Deno runtime: prior to versions 2.5.3 and 2.2.15, Deno.FsFile.prototype.stat and Deno.FsFile.prototype.statSync bypass the permission check when --deny-read=./ is used, allowing retrieval of file stats from files the user does not have explicit read access to. The vulne...

3.3CVSS6.2AI score0.00182EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2025/10/07 10:36 p.m.5 views

GHSA-VG2R-RMGP-CGQJ Deno's --deny-write check does not prevent permission bypass

Summary Deno.FsFile.prototype.utime and Deno.FsFile.prototype.utimeSync are not limited by the permission model check --deny-write=./. It's possible to change to change the access atime and modification mtime times on the file stream resource even when the file is opened with read only permission...

3.3CVSS6.8AI score0.00184EPSS
Exploits1References7
Github Security Blog
Github Security Blog
added 2025/06/04 9:22 p.m.13 views

Deno has --allow-read / --allow-write permission bypass in `node:sqlite`

Summary It is possible to bypass Deno's read/write permission checks by using ATTACH DATABASE statement. PoC js // poc.js import DatabaseSync from "node:sqlite" const db = new DatabaseSync":memory:"; db.exec"ATTACH DATABASE 'test.db' as test;"; db.exec"CREATE TABLE test.test id INTEGER PRIMARY KE...

9.1CVSS6.8AI score0.0041EPSS
Exploits1References5Affected Software2
NVD
NVD
added 2025/06/04 8:15 p.m.12 views

CVE-2025-48935

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using ATTACH DATABASE statement. Version 2.2.5 contains a patch for the issue...

9.1CVSS0.0041EPSS
Exploits1References2
NVD
NVD
added 2025/06/04 8:15 p.m.11 views

CVE-2025-48888

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, deno run --allow-read --deny-read main.ts results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions give...

6.9CVSS0.00342EPSS
Exploits1References6
CVE
CVE
added 2025/06/04 7:31 p.m.58 views

CVE-2025-48935

CVE-2025-48935 (Deno) affects Deno runtimes from 2.2.0 up to 2.2.4, where the read/write database permission check can be bypassed via the ATTACH DATABASE statement. The issue is resolved in version 2.2.5. Impact described in sources indicates a bypass of permission checks (read/write permission)...

9.1CVSS6.9AI score0.0041EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2025/06/04 7:31 p.m.8 views

CVE-2025-48935 Deno has --allow-read / --allow-write permission bypass in `node:sqlite`

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using ATTACH DATABASE statement. Version 2.2.5 contains a patch for the issue...

6.9CVSS7.1AI score0.0041EPSS
Exploits1References2
Cvelist
Cvelist
added 2025/06/04 7:31 p.m.17 views

CVE-2025-48935 Deno has --allow-read / --allow-write permission bypass in `node:sqlite`

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using ATTACH DATABASE statement. Version 2.2.5 contains a patch for the issue...

6.9CVSS0.0041EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2023/01/17 8:23 p.m.11 views

CVE-2023-22499 Interactive permission prompt spoofing in Deno

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program could clear the...

7.5CVSS7.6AI score0.00601EPSS
Exploits1References2
Rows per page
Query Builder