CVE-2025-48935 — Incorrect Authorization in Deno

CWE-863 — Incorrect Authorization4 documents3 sources

Severity

5.5MEDIUMNVD

EPSS

0.3%

top 42.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Deno Denoland Deno

Timeline

PublishedJun 4

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using `ATTACH DATABASE` statement. Version 2.2.5 contains a patch for the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDdeno/deno2.2.0 — 2.2.5

▶crates.iodeno/deno2.2.0 — 2.2.5

▶CVEListV5denoland/deno>= 2.2.0, < 2.2.5

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Deno has --allow-read / --allow-write permission bypass in `node:sqlite`↗2025-06-04

▶

GHSA

Deno has --allow-read / --allow-write permission bypass in `node:sqlite`↗2025-06-04

▶

OSV

--allow-read / --allow-write permission bypass in `node:sqlite`↗2025-06-03

▶