7.3
CVE-2026-49401
- EPSS 0.14%
- Veröffentlicht 23.06.2026 17:22:32
- Zuletzt bearbeitet 23.06.2026 19:34:58
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Deno Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different Unicode spellings of the same name as the same file. That means a program could reach a denied path by spelling it differently than the deny rule. This vulnerability is fixed in 2.7.14.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerdenoland
≫
Produkt
deno
Version
< 2.7.14
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.035 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.3 | 2 | 4.7 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
|
CWE-176 Improper Handling of Unicode Encoding
The product does not properly handle when an input contains Unicode encoding.
CWE-41 Improper Resolution of Path Equivalence
The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.
https://github.com/denoland/deno/security/advisories/GHSA-8xpq-cjcf-3wh9