CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-48934 – Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables
https://notcve.org/view.php?id=CVE-2025-48934
04 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the `Deno.env.toObject` method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the documentation of the `--deny-env` option this might lead to a false impression that variables listed in the option are impossible to read. Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable ... • https://docs.deno.com/api/deno/~/Deno.Env.toObject • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-48888 – Deno run with --allow-read and --deny-read flags results in allowed
https://notcve.org/view.php?id=CVE-2025-48888
04 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as `--allow-* --deny-*`. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch. • https://github.com/denoland/deno/commit/2f0fae9d9071dcaf0a689bc7097584b1b9ebc8db • CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24015 – Deno's AES GCM authentication tags are not verified
https://notcve.org/view.php?id=CVE-2025-24015
03 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode... • https://github.com/denoland/deno/commit/0d1beed • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-21620 – Deno's authorization headers not dropped when redirecting cross-origin
https://notcve.org/view.php?id=CVE-2025-21620
06 Jan 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. This vulnerability is fixed in 2.1.2. Deno es un entorno de ejecución de JavaScript, TypeScript y WebAssembly con valores predeterminados seguros. C... • https://github.com/denoland/deno/security/advisories/GHSA-f27p-cmv8-xhm6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-32468 – Improper neutralization of input during web page generation ("Cross-site Scripting") in deno_doc HTML generator
https://notcve.org/view.php?id=CVE-2024-32468
25 Nov 2024 — Deno is a runtime for JavaScript and TypeScript written in rust. Several cross-site scripting vulnerabilities existed in the `deno_doc` crate which lead to Self-XSS with deno doc --html. 1.) XSS in generated `search_index.js`, `deno_doc` outputs a JavaScript file for searching. However, the generated file used `innerHTML` on unsanitzed HTML input. 2.) XSS via property, method and enum names, `deno_doc` did not sanitize property names, method names and enum names. • https://github.com/denoland/deno/security/advisories/GHSA-qqwr-j9mm-fhw6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37150 – Private npm registry support used scope auth token for downloading tarballs
https://notcve.org/view.php?id=CVE-2024-37150
06 Jun 2024 — An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private ... • https://github.com/denoland/deno/commit/566adb7c0a0c0845e90a6e867a2c0ef5d2ada575 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34346 – Deno contains a permission escalation via open of privileged files with missing `--deny` flag
https://notcve.org/view.php?id=CVE-2024-34346
07 May 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`. Users who grant read and write access to the entire filesystem may not realize that these access to these files ... • https://github.com/denoland/deno/security/advisories/GHSA-23rx-c3g5-hv9w • CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32477 – Race condition when flushing input stream leads to permission prompt bypass
https://notcve.org/view.php?id=CVE-2024-32477
18 Apr 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. By using ANSI escape sequences and a race between `libc::tcflush(0, libc::TCIFLUSH)` and reading standard input, it's possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel to send and g... • https://github.com/denoland/deno/security/advisories/GHSA-95cj-3hr2-7j5j • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27936 – Deno interactive permission prompt spoofing via improper ANSI stripping
https://notcve.org/view.php?id=CVE-2024-27936
06 Mar 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the co... • https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27935 – Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination
https://notcve.org/view.php?id=CVE-2024-27935
06 Mar 2024 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno's Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended ... • https://github.com/denoland/deno/commit/3e9fb8aafd9834ebacd27734cea4310caaf794c6 • CWE-488: Exposure of Data Element to Wrong Session •