CVE-2025-61786

CVE-2025-61786

Name

CVE-2025-61786

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, `Deno.FsFile.prototype.stat` and `Deno.FsFile.prototype.statSync` are not limited by the permission model check `--deny-read=./`. It's possible to retrieve stats from files that the user do not have explicit read access to (the script is executed with `--deny-read=./`). Similar APIs like `Deno.stat` and `Deno.statSync` require `allow-read` permission, however, when a file is opened, even with file-write only flags and deny-read permission, it's still possible to retrieve file stats, and thus bypass the permission model. Versions 2.5.3 and 2.2.15 fix the issue.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/denoland/deno/commit/1ab2268c0bcbf9b0468e0e36963f77f8c31c73ec
MISC	https://github.com/denoland/deno/pull/30876
MISC	https://github.com/denoland/deno/releases/tag/v2.2.15
MISC	https://github.com/denoland/deno/releases/tag/v2.5.3
CONFIRM	https://github.com/denoland/deno/security/advisories/GHSA-qq26-84mh-26j9

Type

URI

MISC

https://github.com/denoland/deno/commit/1ab2268c0bcbf9b0468e0e36963f77f8c31c73ec

MISC

https://github.com/denoland/deno/pull/30876

MISC

https://github.com/denoland/deno/releases/tag/v2.2.15

MISC

https://github.com/denoland/deno/releases/tag/v2.5.3

CONFIRM

https://github.com/denoland/deno/security/advisories/GHSA-qq26-84mh-26j9

Match rules

CPE URI	Source package	Min version	Max version
	deno	>= 2.3.0	< 2.5.3
	deno	>= 0	< 2.2.15
`cpe:2.3:a:deno:deno::::::::`	deno	>= None	<= 2.2.15

CPE URI

Source package

Min version

Max version

deno

>= 2.3.0

< 2.5.3

deno

>= 0

< 2.2.15

cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*

deno

>= None

<= 2.2.15

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
deno	edge-community	2.0.6-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.0.6-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.3.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.3.1-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.3.1-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.3.1-r3	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	3.22-community	2.0.6-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	3.22-community	2.3.1-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
deno	edge-community	2.3.1-r4	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

deno

edge-community

2.0.6-r0

Jakub Jirutka <jakub@jirutka.cz>

possibly vulnerable

deno

edge-community