CVE-2025-48934

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false...

PT-2025-23906 · Crates.Io · Deno

Summary Static imports are exempted from the network permission check. An attacker could exploit this to leak the password file on the network. Details Static imports in Deno are exempted from the network permission check. This can be exploited by attackers in multiple ways, when third-party code...

CVE-2025-24015

Deno (JavaScript/TypeScript/WebAssembly runtime) versions 1.46.0–2.1.6 suffer from a bug where AES-256-GCM and AES-128-GCM authentication tags are not validated, allowing tampered ciphertexts or incorrect keys to bypass integrity checks. The issue also affects AAD within GCM (set_aad), underminin...

CVE-2023-33966

Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and denoruntime 0.114.0, outbound HTTP requests made using the built-in node:http or node:https modules are incorrectly not checked against the network permission allow list --allow-net. Dependencies relying on these built-in modules...