// For flags

CVE-2025-48888

Deno run with --allow-read and --deny-read flags results in allowed

Severity Score

5.5
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as `--allow-* --deny-*`. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch.

Deno es un entorno de ejecución de JavaScript, TypeScript y WebAssembly. A partir de la versión 1.41.3 y anteriores a las versiones 2.1.13, 2.2.13 y 2.3.2, `deno run --allow-read --deny-read main.ts` da como resultado "permitido", aunque `deny' debería ser más seguro. El resultado es el mismo con todos los permisos unarios globales asignados como `--allow-* --deny-*`. Esto solo afecta a una combinación de indicadores sin sentido, por lo que no debería tener un impacto real en la base de usuarios. Los usuarios pueden actualizar a las versiones 2.1.13, 2.2.13 o 2.3.2 para recibir un parche.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
None
None
Integrity
Low
None
Availability
None
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2025-05-27 CVE Reserved
  • 2025-06-04 CVE Published
  • 2025-06-04 CVE Updated
  • 2025-07-16 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-863: Incorrect Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Denoland
Search vendor "Denoland"
Deno
Search vendor "Denoland" for product "Deno"
>= 1.41.3 < 2.1.13
Search vendor "Denoland" for product "Deno" and version " >= 1.41.3 < 2.1.13"
en
Affected
Denoland
Search vendor "Denoland"
Deno
Search vendor "Denoland" for product "Deno"
>= 2.2.0 < 2.2.13
Search vendor "Denoland" for product "Deno" and version " >= 2.2.0 < 2.2.13"
en
Affected
Denoland
Search vendor "Denoland"
Deno
Search vendor "Denoland" for product "Deno"
>= 2.3.0 < 2.3.2
Search vendor "Denoland" for product "Deno" and version " >= 2.3.0 < 2.3.2"
en
Affected