CVE-2025-61786 — Improper Privilege Management in Deno

CWE-269 — Improper Privilege Management3 documents3 sources

Severity

3.3LOWNVD

EPSS

0.0%

top 95.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Denoland Deno Deno

Timeline

PublishedOct 8

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, `Deno.FsFile.prototype.stat` and `Deno.FsFile.prototype.statSync` are not limited by the permission model check `--deny-read=./`. It's possible to retrieve stats from files that the user do not have explicit read access to (the script is executed with `--deny-read=./`). Similar APIs like `Deno.stat` and `Deno.statSync` require `allow-read` permission, however, when a file is opened, even with file-w…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages3 packages

▶NVDdeno/deno2.3.0 — 2.5.3+1

▶crates.iodeno/deno< 2.5.3

▶CVEListV5denoland/deno< 2.2.15+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Deno's --deny-read check does not prevent permission bypass↗2025-10-08

▶

OSV

Deno's --deny-read check does not prevent permission bypass↗2025-10-08

▶