How to fix CVE-2025-48935?

Within 24 hours: Identify all systems running Deno 2.2.0-2.2.4 and assess their database access scope. Within 7 days: Upgrade all affected Deno instances to version 2.2.5 or later, and validate the patch in a staging environment first. Within 30 days: Conduct a security audit of database access logs during the vulnerable period to detect potential exploitation.

Is Deno affected by CVE-2025-48935?

A critical vulnerability in Deno versions 2.2.0-2.2.4 allows attackers to bypass database permission controls, potentially enabling unauthorized access to sensitive data.

CVE-2025-48935

EUVD-2025-16915 CRITICAL

2025-06-04 [email protected]

GHSA-8vxj-4cph-c596

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 17:29 euvd

EUVD-2025-16915

Analysis Generated

Mar 14, 2026 - 17:29 vuln.today

Patch Released

Mar 14, 2026 - 17:29 nvd

Patch available

PoC Detected

Jul 02, 2025 - 13:17 vuln.today

Public exploit code

CVE Published

Jun 04, 2025 - 20:15 nvd

CRITICAL 9.1

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using `ATTACH DATABASE` statement. Version 2.2.5 contains a patch for the issue.

Analysis

Deno versions 2.2.0 through 2.2.4 contain an authorization bypass vulnerability in SQLite database handling that allows attackers to circumvent read/write database permission checks via the SQL ATTACH DATABASE statement. An unauthenticated remote attacker can exploit this with no user interaction to gain unauthorized read and write access to protected databases, achieving high confidentiality and integrity impact. Patch is available in Deno 2.2.5.

Technical Context

Deno is a secure-by-default runtime for JavaScript, TypeScript, and WebAssembly that implements a granular permission system to control access to system resources, including file system read/write operations. The vulnerability exists in Deno's SQLite integration (likely via the sql.js or similar WebAssembly SQLite binding) where the permission enforcement layer fails to validate the `ATTACH DATABASE` SQL statement. The `ATTACH DATABASE` clause in SQLite allows attaching additional database files at runtime; Deno's permission model checks are bypassed because the permission validation occurs at the initial database connection level but not during subsequent SQL statement execution. This is a classic example of CWE-863 (Incorrect Authorization) where security checks are applied inconsistently—the initial database open triggers permission validation, but the `ATTACH DATABASE` statement allows loading additional databases without re-checking permissions. Affected versions: Deno 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4 (CPE: cpe:2.3:a:denoland:deno:2.2.0:*:*:*:*:*:*:* through cpe:2.3:a:denoland:deno:2.2.4:*:*:*:*:*:*:*).

Affected Products

Deno (['2.2.0', '2.2.1', '2.2.2', '2.2.3', '2.2.4'])

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +46

POC: +20

Vendor Status

CVE-2025-48935 vulnerability details – vuln.today

Back

CVE-2025-48935

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Vendor Status

Share

CVE-2025-48935

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Vendor Status

Share

External POC / Exploit Code