CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48935 – Deno has --allow-read / --allow-write permission bypass in `node:sqlite`
https://notcve.org/view.php?id=CVE-2025-48935
04 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using `ATTACH DATABASE` statement. Version 2.2.5 contains a patch for the issue. Deno es un entorno de ejecución de JavaScript, TypeScript y WebAssembly. A partir de la versión 2.2.0 y anteriores a la 2.2.5, es posible omitir la comprobación de permisos de lectura/escritura de la base de datos de Deno mediante la instru... • https://github.com/denoland/deno/commit/31a97803995bd94629528ba841b2418d3ca01860 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-48934 – Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables
https://notcve.org/view.php?id=CVE-2025-48934
04 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the `Deno.env.toObject` method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the documentation of the `--deny-env` option this might lead to a false impression that variables listed in the option are impossible to read. Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable ... • https://docs.deno.com/api/deno/~/Deno.Env.toObject • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-48888 – Deno run with --allow-read and --deny-read flags results in allowed
https://notcve.org/view.php?id=CVE-2025-48888
04 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as `--allow-* --deny-*`. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch. • https://github.com/denoland/deno/commit/2f0fae9d9071dcaf0a689bc7097584b1b9ebc8db • CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24015 – Deno's AES GCM authentication tags are not verified
https://notcve.org/view.php?id=CVE-2025-24015
03 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode... • https://github.com/denoland/deno/commit/0d1beed • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-21620 – Deno's authorization headers not dropped when redirecting cross-origin
https://notcve.org/view.php?id=CVE-2025-21620
06 Jan 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2. Deno es un entorno de ejecución de JavaScript, TypeScript y WebAssembly con valores predeterminados seguros. C... • https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-32468 – Improper neutralization of input during web page generation ("Cross-site Scripting") in deno_doc HTML generator
https://notcve.org/view.php?id=CVE-2024-32468
25 Nov 2024 — Deno is a runtime for JavaScript and TypeScript written in rust. Several cross-site scripting vulnerabilities existed in the `deno_doc` crate which lead to Self-XSS with deno doc --html. 1.) XSS in generated `search_index.js`, `deno_doc` outputs a JavaScript file for searching. However, the generated file used `innerHTML` on unsanitzed HTML input. 2.) XSS via property, method and enum names, `deno_doc` did not sanitize property names, method names and enum names. • https://github.com/denoland/deno/security/advisories/GHSA-qqwr-j9mm-fhw6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52793 – XSS vulnerability in serveDir API of @std/http/file-server on POSIX systems
https://notcve.org/view.php?id=CVE-2024-52793
22 Nov 2024 — The Deno Standard Library provides APIs for Deno and the Web. Prior to version 1.0.11, `http/file-server`'s `serveDir` with `showDirListing: true` option is vulnerable to cross-site scripting when the attacker is a user who can control file names in the source directory on systems with POSIX file names. Exploitation might also be possible on other systems but less trivial due to e.g. lack of file name support for `<>` in Windows. Version 1.0.11 fixes the issue. • https://github.com/denoland/std/blob/065296ca5a05a47f9741df8f99c32fae4f960070/http/file_server.ts#L507 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37150 – Private npm registry support used scope auth token for downloading tarballs
https://notcve.org/view.php?id=CVE-2024-37150
06 Jun 2024 — An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private ... • https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34346 – Deno contains a permission escalation via open of privileged files with missing `--deny` flag
https://notcve.org/view.php?id=CVE-2024-34346
07 May 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`. Users who grant read and write access to the entire filesystem may not realize that these access to these files ... • https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w • CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32477 – Race condition when flushing input stream leads to permission prompt bypass
https://notcve.org/view.php?id=CVE-2024-32477
18 Apr 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. By using ANSI escape sequences and a race between `libc::tcflush(0, libc::TCIFLUSH)` and reading standard input, it's possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel to send and g... • https://github.com/denoland/deno/security/advisories/GHSA-95cj-3hr2-7j5j • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •