CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48935 – Deno has --allow-read / --allow-write permission bypass in `node:sqlite`
https://notcve.org/view.php?id=CVE-2025-48935
04 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using `ATTACH DATABASE` statement. Version 2.2.5 contains a patch for the issue. Deno es un entorno de ejecución de JavaScript, TypeScript y WebAssembly. A partir de la versión 2.2.0 y anteriores a la 2.2.5, es posible omitir la comprobación de permisos de lectura/escritura de la base de datos de Deno mediante la instru... • https://github.com/denoland/deno/commit/31a97803995bd94629528ba841b2418d3ca01860 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-48934 – Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables
https://notcve.org/view.php?id=CVE-2025-48934
04 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the `Deno.env.toObject` method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the documentation of the `--deny-env` option this might lead to a false impression that variables listed in the option are impossible to read. Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable ... • https://docs.deno.com/api/deno/~/Deno.Env.toObject • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-48888 – Deno run with --allow-read and --deny-read flags results in allowed
https://notcve.org/view.php?id=CVE-2025-48888
04 Jun 2025 — Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as `--allow-* --deny-*`. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch. • https://github.com/denoland/deno/commit/2f0fae9d9071dcaf0a689bc7097584b1b9ebc8db • CWE-863: Incorrect Authorization •