Deno
Monthly
Deno versions 2.7.0 through 2.7.1 contain a command injection vulnerability in the node:child_process polyfill where improper quote handling allows attackers to bypass previous security fixes and execute arbitrary OS commands through shell metacharacter injection in spawn/spawnSync arguments. This vulnerability bypasses Deno's permission system entirely, enabling complete system compromise for applications processing untrusted input. A patch is available in version 2.7.2.
Command injection in Deno versions prior to 2.6.8 allows unauthenticated remote attackers to execute arbitrary commands through the node:child_process implementation. Public exploit code exists for this vulnerability, which carries a CVSS score of 8.1 and affects the confidentiality, integrity, and availability of affected systems. Users should upgrade to Deno 2.6.8 or later to remediate this risk.
Arbitrary code execution in Deno runtime versions before 2.5.6 allows unauthenticated attackers to bypass shell script execution restrictions by using alternate casing in batch file extensions (e.g., .BAT, .Bat instead of .bat). The case-sensitive validation flaw enables attackers to spawn blocked Windows batch and command files, achieving remote code execution. Public exploit code exists and no patch is currently available for affected systems.
Deno versions up to 2.6.0 contains a vulnerability that allows attackers to have infinite encryptions (CVSS 7.5).
Deno versions 2.2.0 through 2.2.4 contain an authorization bypass vulnerability in SQLite database handling that allows attackers to circumvent read/write database permission checks via the SQL `ATTACH DATABASE` statement. An unauthenticated remote attacker can exploit this with no user interaction to gain unauthorized read and write access to protected databases, achieving high confidentiality and integrity impact. Patch is available in Deno 2.2.5.
A security vulnerability in Deno (CVSS 5.3). Risk factors: public PoC available. Vendor patch is available.
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as `--allow-* --deny-*`. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch.
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removing integrity protection. Authenticated data set with set_aad is also affected, as it is incorporated into the GCM hash (ghash) but this too is not validated, rendering AAD checks ineffective. Version 2.1.7 includes a patch that addresses this issue.
Deno versions 2.7.0 through 2.7.1 contain a command injection vulnerability in the node:child_process polyfill where improper quote handling allows attackers to bypass previous security fixes and execute arbitrary OS commands through shell metacharacter injection in spawn/spawnSync arguments. This vulnerability bypasses Deno's permission system entirely, enabling complete system compromise for applications processing untrusted input. A patch is available in version 2.7.2.
Command injection in Deno versions prior to 2.6.8 allows unauthenticated remote attackers to execute arbitrary commands through the node:child_process implementation. Public exploit code exists for this vulnerability, which carries a CVSS score of 8.1 and affects the confidentiality, integrity, and availability of affected systems. Users should upgrade to Deno 2.6.8 or later to remediate this risk.
Arbitrary code execution in Deno runtime versions before 2.5.6 allows unauthenticated attackers to bypass shell script execution restrictions by using alternate casing in batch file extensions (e.g., .BAT, .Bat instead of .bat). The case-sensitive validation flaw enables attackers to spawn blocked Windows batch and command files, achieving remote code execution. Public exploit code exists and no patch is currently available for affected systems.
Deno versions up to 2.6.0 contains a vulnerability that allows attackers to have infinite encryptions (CVSS 7.5).
Deno versions 2.2.0 through 2.2.4 contain an authorization bypass vulnerability in SQLite database handling that allows attackers to circumvent read/write database permission checks via the SQL `ATTACH DATABASE` statement. An unauthenticated remote attacker can exploit this with no user interaction to gain unauthorized read and write access to protected databases, achieving high confidentiality and integrity impact. Patch is available in Deno 2.2.5.
A security vulnerability in Deno (CVSS 5.3). Risk factors: public PoC available. Vendor patch is available.
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as `--allow-* --deny-*`. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch.
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removing integrity protection. Authenticated data set with set_aad is also affected, as it is incorporated into the GCM hash (ghash) but this too is not validated, rendering AAD checks ineffective. Version 2.1.7 includes a patch that addresses this issue.