Deno Runtime vulnerabilities

6 known vulnerabilities affecting deno/deno_runtime.

Total CVEs

6

CISA KEV

0

Public exploits

0

Exploited in wild

1

Severity breakdown

CRITICAL2HIGH1MEDIUM3

Vulnerabilities

Page 1 of 1

CVE-2025-48888MEDIUM≥ 0.150.0, < 0.212.02025-06-04

CVE-2025-48888 [MEDIUM] CWE-863 Deno run with --allow-read and --deny-read flags results in allowed Deno run with --allow-read and --deny-read flags results in allowed ### Summary `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. Same with all global unary permissions given as `--allow-* --deny-*`. ### Details Caused by the fast exit logic in #22894. ### PoC Run the above command expecting no permissions to be passed. ### Impact This o

CVE-2025-48934MEDIUM≥ 0, < 0.212.02025-06-04

CVE-2025-48934 [MEDIUM] CWE-201 Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables ### Summary The [Deno.env.toObject](https://docs.deno.com/api/deno/~/Deno.Env.toObject) method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the [documentation](https://docs.deno.com/runtime/fundamentals/security

CVE-2024-27936MEDIUMCVSS 6.5≥ 0.103.0, < 0.147.02024-03-21

CVE-2024-27936 [MEDIUM] CWE-150 CVE-2024-27936: Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from

CVE-2023-33966CRITICALCVSS 9.8v0.114.02023-05-31

CVE-2023-33966 [CRITICAL] CWE-269 CVE-2023-33966: Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound H Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying on these built-in modules are subject to the vulnerability too. User

CVE-2023-28445CRITICALCVSS 9.8Exploitedv0.102.02023-03-24

CVE-2023-28445 [CRITICAL] CWE-125 CVE-2023-28445: Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBu Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in the wild, as the only version affected is Deno 1.32.0. Deno Deploy us

CVE-2023-28446HIGH≥ 1.8.0, < 1.31.22023-03-24

CVE-2023-28446 [HIGH] CWE-150 Interactive `run` permission prompt spoofing via improper ANSI neutralization Interactive `run` permission prompt spoofing via improper ANSI neutralization ### Summary Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with any desired text. ### Details The main entry point comes down to the ability to override what the API control says ([40_process.js