CVE-2025-48888
BaseFortify
Publication date: 2025-06-04
Last updated on: 2025-07-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| deno | deno | From 1.41.3 (inc) to 2.1.13 (exc) |
| deno | deno | From 2.2.0 (inc) to 2.2.13 (exc) |
| deno | deno | From 2.3.0 (inc) to 2.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Deno runtime occurs when contradictory global permission flags are used together, such as `--allow-read` combined with `--deny-read`. Normally, the deny flag should override and block the permission, but due to a flaw in the permission handling logic, the deny flag is ignored and the permission is allowed. This happens because of the fast exit logic introduced in a previous update, which incorrectly treats conflicting flags. However, this issue only arises with nonsensical flag combinations that are unlikely to be used in practice. [1]
How can this vulnerability impact me? :
The impact of this vulnerability is minimal because it only occurs with contradictory permission flags that do not make practical sense to use together. As a result, it is unlikely to affect typical users or real-world scenarios. The vulnerability could theoretically allow permissions to be granted when they were intended to be denied, but since the conflicting flags are nonsensical, the risk is low. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running a Deno command with contradictory global unary permission flags, such as `deno run --allow-read --deny-read main.ts`, and observing if read permissions are still granted despite the deny flag. This proof of concept demonstrates the issue where the deny flag is ignored. There are no specific network detection commands provided, but testing the runtime behavior with these conflicting flags is the suggested method. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade their Deno runtime to version 2.1.13, 2.2.13, 2.3.2, or later, where the issue with contradictory global permission flags has been fixed. The fix ensures proper handling of conflicting permission flags, preventing the deny flags from being overridden by allow flags. Until upgrading, avoid using nonsensical combinations of permission flags such as `--allow-* --deny-*` together. [1, 4]