PT-2026-50147 · Crates.Io · Deno

Published

2026-06-16

·

Updated

2026-06-16

·

CVE-2026-49406

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

When Deno was run in BYONM mode (nodeModulesDir: "manual"), the module resolver did not validate that a package's resolved entrypoint stayed within its node modules/<pkg>/ directory. A malicious package.json whose main field contained .. segments was able to resolve to an arbitrary path on disk, and the resolver then read that file without consulting the --allow-read allowlist. This let a require("evil-pkg") call return the contents of a file that a direct Deno.readTextFileSync(...) call would have been blocked from reading.

Details

In BYONM mode, Deno resolved npm packages directly from a user-managed node modules tree. Resolution of require("pkg") proceeded by reading pkg/package.json, taking the main field, joining it to the package directory, and loading the result as a module.
The path joined from main was not constrained to the package root. A package.json such as:
json
{ "main": "../../../secret.json" }
resolved to node modules/pkg/../../../secret.json, escaping node modules entirely. The BYONM permission check accepted any path that contained a node modules component and did not reject .. traversal, so the resolved path was loaded without a read-permission check.
Because resolution loaded JSON entrypoints by parsing their contents and returning them through require, this exposed the contents of arbitrary .json files reachable by the OS user to the requiring code, even when --allow-read had been narrowed to a specific directory.
The same file accessed via Deno.readTextFileSync was correctly blocked. The bug was that module resolution did not enforce the same read-permission boundary that the filesystem APIs enforced.

Proof of concept

The reporter supplied a self-contained PoC. Layout:
/tmp/deno byonm poc/
├── app/
│  ├── deno.json      (BYONM enabled)
│  ├── exploit.ts      (require("evil-pkg"))
│  └── node modules/
│    └── evil-pkg/
│      └── package.json (main: "../../../secret.json")
└── secret.json       (outside --allow-read scope)
Run:
bash
deno run --no-prompt --allow-read=/tmp/deno byonm poc/app exploit.ts
Observed:
  • Deno.readTextFileSync("/tmp/deno byonm poc/secret.json") — blocked, as expected.
  • require("evil-pkg") — returned the parsed contents of secret.json, bypassing the read allowlist.
A control run with BYONM disabled (--no-config) blocked the require call.

Impact

The vulnerability allowed a hostile npm package installed under a BYONM node modules to read JSON files outside the directories granted via --allow-read, up to the privileges of the OS user running Deno. In practice this exposed configuration and credential files (.env.json, cloud credentials, package lockfiles, etc.) that the user had deliberately excluded from the read scope.
The vulnerability did not grant any capability beyond what the OS user already held, did not affect runs that granted unrestricted --allow-read, and required the user to have installed and then required a hostile package, i.e. an existing supply-chain compromise. The reason it warranted a security advisory rather than a routine bug fix is that Deno's permission model promised that --allow-read=<scope> was a hard boundary even over untrusted npm code, and that promise was broken.
Not affected:
  • Runs without BYONM (default npm resolution went through a separate code path that rejected the traversal).
  • Runs with full --allow-read (no boundary to bypass).
  • Non-JSON entrypoints, in practice — .js/.cjs/.mjs targets executed rather than exposing file contents, which already implied attacker code execution within the granted permission set.

Workarounds

Users on unpatched versions could mitigate by:
  • Avoiding BYONM mode (nodeModulesDir: "manual") for projects that depended on untrusted packages.
  • Auditing package.json main fields in node modules for .. segments before running.
  • Granting --allow-read only when the read scope already covered every file the OS user could see (in which case there was no boundary to bypass and no additional exposure).

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-49406
GHSA-968W-XFQW-VP9Q

Affected Products

Deno