CVE-2025-61785
BaseFortify
Publication date: 2025-10-08
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| deno | deno | to 2.2.15 (inc) |
| deno | deno | From 2.3.0 (inc) to 2.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Deno versions prior to 2.5.3 and 2.2.15 allows a script to change the access time (atime) and modification time (mtime) of a file even when the file is opened with read-only permission and write operations are denied using the --deny-write=./ flag. Normally, APIs like Deno.utime require write permission, but due to this flaw, the permission model can be bypassed through Deno.FsFile.prototype.utime and utimeSync methods, allowing modification of file timestamps without proper write permissions. This issue is fixed in versions 2.5.3 and 2.2.15.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized modification of file metadata, specifically the access and modification timestamps, even when write permissions are denied. This could be used to hide unauthorized file access or changes, potentially aiding in evasion of monitoring or forensic analysis. However, it does not allow modification of the file content itself.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Deno to version 2.5.3 or 2.2.15 or later, as these versions fix the issue where file access and modification times can be changed despite deny-write permissions.