Skip to main content

Deno

24 CVEs product

Monthly

CVE-2026-32260 Cargo HIGH PATCH This Week

Deno versions 2.7.0 through 2.7.1 contain a command injection vulnerability in the node:child_process polyfill where improper quote handling allows attackers to bypass previous security fixes and execute arbitrary OS commands through shell metacharacter injection in spawn/spawnSync arguments. This vulnerability bypasses Deno's permission system entirely, enabling complete system compromise for applications processing untrusted input. A patch is available in version 2.7.2.

Command Injection Deno Suse
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27190 Cargo HIGH POC PATCH This Week

Command injection in Deno versions prior to 2.6.8 allows unauthenticated remote attackers to execute arbitrary commands through the node:child_process implementation. Public exploit code exists for this vulnerability, which carries a CVSS score of 8.1 and affects the confidentiality, integrity, and availability of affected systems. Users should upgrade to Deno 2.6.8 or later to remediate this risk.

Command Injection Deno Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.8%
CVE-2026-22864 Cargo HIGH POC PATCH This Week

Arbitrary code execution in Deno runtime versions before 2.5.6 allows unauthenticated attackers to bypass shell script execution restrictions by using alternate casing in batch file extensions (e.g., .BAT, .Bat instead of .bat). The case-sensitive validation flaw enables attackers to spawn blocked Windows batch and command files, achieving remote code execution. Public exploit code exists and no patch is currently available for affected systems.

Windows Deno Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-22863 Cargo HIGH POC PATCH This Week

Deno versions up to 2.6.0 contains a vulnerability that allows attackers to have infinite encryptions (CVSS 7.5).

Information Disclosure Deno Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-48935 Cargo CRITICAL POC PATCH Act Now

Deno versions 2.2.0 through 2.2.4 contain an authorization bypass vulnerability in SQLite database handling that allows attackers to circumvent read/write database permission checks via the SQL `ATTACH DATABASE` statement. An unauthenticated remote attacker can exploit this with no user interaction to gain unauthorized read and write access to protected databases, achieving high confidentiality and integrity impact. Patch is available in Deno 2.2.5.

Authentication Bypass SQLi Deno Suse
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-48934 Cargo MEDIUM POC PATCH This Month

A security vulnerability in Deno (CVSS 5.3). Risk factors: public PoC available. Vendor patch is available.

Information Disclosure Deno Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-48888 Cargo MEDIUM POC PATCH This Month

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as `--allow-* --deny-*`. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch.

Authentication Bypass Deno Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-24015 Cargo MEDIUM POC PATCH This Month

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removing integrity protection. Authenticated data set with set_aad is also affected, as it is incorporated into the GCM hash (ghash) but this too is not validated, rendering AAD checks ineffective. Version 2.1.7 includes a patch that addresses this issue.

Node.js Information Disclosure Deno Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2024-37150 MEDIUM PATCH This Month

An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Deno
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-34346 Cargo CRITICAL PATCH Act Now

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Rated critical severity (CVSS 9.0), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Deno
NVD GitHub
CVSS 3.1
9.0
EPSS
0.4%
CVE-2024-32477 HIGH POC This Week

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Command Injection Deno
NVD GitHub
CVSS 3.1
7.4
EPSS
0.3%
CVE-2024-27936 Cargo MEDIUM POC PATCH This Month

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Deno Deno Runtime
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2024-27935 Cargo HIGH POC PATCH This Week

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Deno
NVD GitHub
CVSS 3.1
8.3
EPSS
0.7%
CVE-2024-27934 Cargo HIGH POC PATCH This Week

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Use After Free RCE Memory Corruption Deno
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-27933 Cargo HIGH POC PATCH This Week

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. Public exploit code available.

Authentication Bypass RCE Deno
NVD GitHub
CVSS 3.1
8.8
EPSS
2.3%
CVE-2024-27932 Cargo MEDIUM POC PATCH This Month

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Deno
NVD GitHub
CVSS 3.1
4.6
EPSS
0.6%
CVE-2024-27931 Cargo MEDIUM POC PATCH This Month

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Deno
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-33966 Cargo CRITICAL PATCH Act Now

Deno is a runtime for JavaScript and TypeScript. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Deno Deno Runtime
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2023-28446 Cargo HIGH POC PATCH This Week

Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Deno
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
CVE-2023-28445 Cargo CRITICAL PATCH Act Now

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Deno Deno Runtime Serde V8
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-26103 Cargo HIGH POC PATCH This Week

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Deno
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-22499 Cargo HIGH POC PATCH This Week

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Race Condition Information Disclosure Deno
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2022-24783 Cargo CRITICAL PATCH Act Now

Deno is a runtime for JavaScript and TypeScript. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Deno
NVD GitHub
CVSS 3.1
10.0
EPSS
1.1%
CVE-2021-32619 Cargo CRITICAL PATCH Act Now

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Deno
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Deno versions 2.7.0 through 2.7.1 contain a command injection vulnerability in the node:child_process polyfill where improper quote handling allows attackers to bypass previous security fixes and execute arbitrary OS commands through shell metacharacter injection in spawn/spawnSync arguments. This vulnerability bypasses Deno's permission system entirely, enabling complete system compromise for applications processing untrusted input. A patch is available in version 2.7.2.

Command Injection Deno Suse
NVD GitHub VulDB
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

Command injection in Deno versions prior to 2.6.8 allows unauthenticated remote attackers to execute arbitrary commands through the node:child_process implementation. Public exploit code exists for this vulnerability, which carries a CVSS score of 8.1 and affects the confidentiality, integrity, and availability of affected systems. Users should upgrade to Deno 2.6.8 or later to remediate this risk.

Command Injection Deno Suse
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Arbitrary code execution in Deno runtime versions before 2.5.6 allows unauthenticated attackers to bypass shell script execution restrictions by using alternate casing in batch file extensions (e.g., .BAT, .Bat instead of .bat). The case-sensitive validation flaw enables attackers to spawn blocked Windows batch and command files, achieving remote code execution. Public exploit code exists and no patch is currently available for affected systems.

Windows Deno Suse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Deno versions up to 2.6.0 contains a vulnerability that allows attackers to have infinite encryptions (CVSS 7.5).

Information Disclosure Deno Suse
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Deno versions 2.2.0 through 2.2.4 contain an authorization bypass vulnerability in SQLite database handling that allows attackers to circumvent read/write database permission checks via the SQL `ATTACH DATABASE` statement. An unauthenticated remote attacker can exploit this with no user interaction to gain unauthorized read and write access to protected databases, achieving high confidentiality and integrity impact. Patch is available in Deno 2.2.5.

Authentication Bypass SQLi Deno +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

A security vulnerability in Deno (CVSS 5.3). Risk factors: public PoC available. Vendor patch is available.

Information Disclosure Deno Suse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as `--allow-* --deny-*`. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch.

Authentication Bypass Deno Suse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removing integrity protection. Authenticated data set with set_aad is also affected, as it is incorporated into the GCM hash (ghash) but this too is not validated, rendering AAD checks ineffective. Version 2.1.7 includes a patch that addresses this issue.

Node.js Information Disclosure Deno +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Deno
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Rated critical severity (CVSS 9.0), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Deno
NVD GitHub
EPSS 0% CVSS 7.4
HIGH POC This Week

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Command Injection Deno
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Deno Deno Runtime
NVD GitHub
EPSS 1% CVSS 8.3
HIGH POC PATCH This Week

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Deno
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Use After Free RCE Memory Corruption +1
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. Public exploit code available.

Authentication Bypass RCE Deno
NVD GitHub
EPSS 1% CVSS 4.6
MEDIUM POC PATCH This Month

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Deno
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Deno
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Deno is a runtime for JavaScript and TypeScript. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Deno Deno Runtime
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Deno
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Deno +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Deno
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Race Condition Information Disclosure Deno
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Deno is a runtime for JavaScript and TypeScript. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Deno
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Deno
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy