CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-55195 – @std/toml Prototype Pollution in Node.js and Browser
https://notcve.org/view.php?id=CVE-2025-55195
14 Aug 2025 — @std/toml is the Deno Standard Library. Prior to version 1.0.9, an attacker can pollute the prototype chain in Node.js runtime and Browser when parsing untrusted TOML data, thus achieving Prototype Pollution (PP) vulnerability. This is because the library is merging an untrusted object with an empty object, which by default the empty object has the prototype chain. This issue has been patched in version 1.0.9. • https://github.com/denoland/std/security/advisories/GHSA-crjp-8r9q-2j9r • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48935 – Deno has --allow-read / --allow-write permission bypass in `node:sqlite`
https://notcve.org/view.php?id=CVE-2025-48935
04 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using `ATTACH DATABASE` statement. Version 2.2.5 contains a patch for the issue. Deno es un entorno de ejecución de JavaScript, TypeScript y WebAssembly. A partir de la versión 2.2.0 y anteriores a la 2.2.5, es posible omitir la comprobación de permisos de lectura/escritura de la base de datos de Deno mediante la instru... • https://github.com/denoland/deno/commit/31a97803995bd94629528ba841b2418d3ca01860 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-48934 – Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables
https://notcve.org/view.php?id=CVE-2025-48934
04 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the `Deno.env.toObject` method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the documentation of the `--deny-env` option this might lead to a false impression that variables listed in the option are impossible to read. Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable ... • https://docs.deno.com/api/deno/~/Deno.Env.toObject • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-48888 – Deno run with --allow-read and --deny-read flags results in allowed
https://notcve.org/view.php?id=CVE-2025-48888
04 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as `--allow-* --deny-*`. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch. • https://github.com/denoland/deno/commit/2f0fae9d9071dcaf0a689bc7097584b1b9ebc8db • CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24015 – Deno's AES GCM authentication tags are not verified
https://notcve.org/view.php?id=CVE-2025-24015
03 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode... • https://github.com/denoland/deno/commit/0d1beed • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-21620 – Deno's authorization headers not dropped when redirecting cross-origin
https://notcve.org/view.php?id=CVE-2025-21620
06 Jan 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2. Deno es un entorno de ejecución de JavaScript, TypeScript y WebAssembly con valores predeterminados seguros. C... • https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-32468 – Improper neutralization of input during web page generation ("Cross-site Scripting") in deno_doc HTML generator
https://notcve.org/view.php?id=CVE-2024-32468
25 Nov 2024 — Deno is a runtime for JavaScript and TypeScript written in rust. Several cross-site scripting vulnerabilities existed in the `deno_doc` crate which lead to Self-XSS with deno doc --html. 1.) XSS in generated `search_index.js`, `deno_doc` outputs a JavaScript file for searching. However, the generated file used `innerHTML` on unsanitzed HTML input. 2.) XSS via property, method and enum names, `deno_doc` did not sanitize property names, method names and enum names. • https://github.com/denoland/deno/security/advisories/GHSA-qqwr-j9mm-fhw6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52793 – XSS vulnerability in serveDir API of @std/http/file-server on POSIX systems
https://notcve.org/view.php?id=CVE-2024-52793
22 Nov 2024 — The Deno Standard Library provides APIs for Deno and the Web. Prior to version 1.0.11, `http/file-server`'s `serveDir` with `showDirListing: true` option is vulnerable to cross-site scripting when the attacker is a user who can control file names in the source directory on systems with POSIX file names. Exploitation might also be possible on other systems but less trivial due to e.g. lack of file name support for `<>` in Windows. Version 1.0.11 fixes the issue. • https://github.com/denoland/std/blob/065296ca5a05a47f9741df8f99c32fae4f960070/http/file_server.ts#L507 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37150 – Private npm registry support used scope auth token for downloading tarballs
https://notcve.org/view.php?id=CVE-2024-37150
06 Jun 2024 — An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private ... • https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34346 – Deno contains a permission escalation via open of privileged files with missing `--deny` flag
https://notcve.org/view.php?id=CVE-2024-34346
07 May 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`. Users who grant read and write access to the entire filesystem may not realize that these access to these files ... • https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w • CWE-863: Incorrect Authorization •