PT-2025-41208 · Deno · Deno
Dellalibera
·
Published
2025-10-07
·
Updated
2026-04-14
·
CVE-2025-61785
CVSS v3.1
3.3
Low
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Deno versions prior to 2.5.3
Deno versions prior to 2.2.15
Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. The
Deno.FsFile.prototype.utime and Deno.FsFile.prototype.utimeSync functions are not limited by the --deny-write=./ permission model check in versions prior to 2.5.3 and 2.2.15. This allows modification of file access (atime) and modification (mtime) times even when the file is opened with read-only permissions and write operations are disallowed. While APIs like Deno.utime and Deno.utimeSync require allow-write permission, this bypass is possible when a file is opened with read-only flags and deny-write permission is set.Recommendations
Update to Deno version 2.5.3 or later.
Update to Deno version 2.2.15 or later.
Exploit
Fix
Incorrect Privilege Assignment
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Deno