CVE-2025-61785Incorrect Privilege Assignment in Deno

CWE-266Incorrect Privilege Assignment3 documents3 sources
Severity
3.3LOWNVD
EPSS
0.0%
top 97.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Denoland DenoDeno
Timeline
Latest updateOct 7
PublishedOct 8

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, `Deno.FsFile.prototype.utime` and `Deno.FsFile.prototype.utimeSync` are not limited by the permission model check `--deny-write=./`. It's possible to change to change the access (`atime`) and modification (`mtime`) times on the file stream resource even when the file is opened with `read` only permission (and `write`: `false`) and file write operations are not allowed (the script is executed with `-

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages3 packages

NVDdeno/deno2.3.02.5.3+1
crates.iodeno/deno< 2.5.3
CVEListV5denoland/deno< 2.2.15+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
Deno's --deny-write check does not prevent permission bypass2025-10-07
GHSA
Deno's --deny-write check does not prevent permission bypass2025-10-07