Deno: `fetch()` API sandbox bypass via missing DNS resolution check

Summary When fetch was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP,...

PT-2026-50153

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.8.1 Description When the fetch function is called, the runtime validates the destination hostname against --deny-net rules but fails to re-verify the IP addresses that the hostname resolves to. This allows an...