PT-2025-23841 · Deno · Deno
Frankvd
·
Published
2025-06-04
·
Updated
2026-04-14
·
CVE-2025-48934
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Deno versions prior to 2.1.13 and prior to 2.2.13
Description
The issue affects Deno, a JavaScript, TypeScript, and WebAssembly runtime. It involves the
Deno.env.toObject method, which ignores variables listed in the --deny-env option of the deno run command. This could lead to a false impression that variables listed in the option are impossible to read, making software relying on this combination vulnerable to malicious code trying to steal secrets.Recommendations
For Deno versions prior to 2.1.13, update to version 2.1.13 or later.
For Deno versions prior to 2.2.13, update to version 2.2.13 or later.
As a temporary workaround, consider restricting access to sensitive environment variables until the patch is applied.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Deno