PT-2026-50155 · Crates.Io · Deno

Publicado

2026-06-16

Atualizado

2026-06-16

CVE-2026-49983

CVSS v3.1

5.2

Média

Vetor

AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Summary

In Deno, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot change process.env.

process.loadEnvFile() (the Node-compatible API for loading variables from a .env file) does not honor this. It only checks that the program has read permission for the dotenv file, then writes every key in that file into the process environment — even when env access is denied.

In effect, --allow-read plus a writable or attacker-controlled .env file is enough to defeat --deny-env.

Am I affected?

You are potentially affected if all of the following are true:

You run Deno v2.3.0 or newer.
Your program (or any dependency it imports) calls process.loadEnvFile() from node:process.
You rely on Deno's permission model — specifically --deny-env, an --allow-env=… allowlist, or running without granting env — as a security boundary.
The .env path passed to loadEnvFile() can be controlled or modified by a less-trusted party (untrusted input, user-writable directory, third-party dependency, etc.) and is covered by your --allow-read grant.

If your program does not use process.loadEnvFile() at all, or if it already grants full env access, this advisory does not change your risk.

Correção

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-863

Identificadores relacionados

CVE-2026-49983

GHSA-4C8G-JVCX-V4HV

Produtos afetados

Deno

PT-2026-50155 · Crates.Io · Deno

CVE-2026-49983

Summary

Am I affected?

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 3