PT-2025-41209 · Deno · Deno
Dellalibera
·
Published
2025-10-08
·
Updated
2026-04-14
·
CVE-2025-61786
CVSS v3.1
3.3
Low
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Deno versions prior to 2.5.3
Deno versions prior to 2.2.15
Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. The
Deno.FsFile.prototype.stat and Deno.FsFile.prototype.statSync functions do not enforce the --deny-read=./ permission restriction. This allows retrieval of file statistics from files that a user does not have explicit read access to, even when the script is executed with the --deny-read=./ flag. While functions like Deno.stat and Deno.statSync require allow-read permission, opening a file with write-only flags and deny-read permission does not prevent the retrieval of file statistics, bypassing the permission model.Recommendations
Update to Deno version 2.5.3 or later.
Update to Deno version 2.2.15 or later.
Exploit
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Deno