3.3

CVE-2025-61786

Exploit

Deno's --deny-read check does not prevent permission bypass

Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, `Deno.FsFile.prototype.stat` and `Deno.FsFile.prototype.statSync` are not limited by the permission model check `--deny-read=./`. It's possible to retrieve stats from files that the user do not have explicit read access to (the script is executed with `--deny-read=./`). Similar APIs like `Deno.stat` and `Deno.statSync` require `allow-read` permission, however, when a file is opened, even with file-write only flags and deny-read permission, it's still possible to retrieve file stats, and thus bypass the permission model. Versions 2.5.3 and 2.2.15 fix the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DenoDeno Version <= 2.2.15
DenoDeno Version >= 2.3.0 < 2.5.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.18% 0.075
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 3.3 1.8 1.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://github.com/denoland/deno/releases/tag/v2.2.15
Release Notes
https://github.com/denoland/deno/releases/tag/v2.5.3
Release Notes
https://github.com/denoland/deno/security/advisories/GHSA-qq26-84mh-26j9
Vendor Advisory
Exploit
https://github.com/denoland/deno/pull/30876
Patch
Issue Tracking
https://github.com/denoland/deno/commit/1ab2268c0bcbf9b0468e0e36963f77f8c31c73ec
Patch