Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access

Summary In Deno, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot change process.env. process.loadEnvFile the Node-compatible...

SUSE CVE-2025-48934

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false...

Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables

Summary The Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false impression that variables listed in the option are impossible to read. PoC export...

GHSA-7W8P-CHXQ-2789 Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables

Summary The Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false impression that variables listed in the option are impossible to read. PoC export...

Deno 安全漏洞

Deno is a simple, modern and secure JavaScript and TypeScript runtime environment from Deno Open Source. A security vulnerability exists in Deno versions prior to 2.1.13 and prior to 2.2.13, which stems from an omission of the deny-env option in the Deno.env.toObject method, which could lead to t...