CVE-2026-49401
Undergoing Analysis Undergoing Analysis - In Progress
Path Traversal in Deno Runtime

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different Unicode spellings of the same name as the same file. That means a program could reach a denied path by spelling it differently than the deny rule. This vulnerability is fixed in 2.7.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-49401
EUVD
EUVD-2026-38547
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
denoland deno to 2.7.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-41 The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.
CWE-176 The product does not properly handle when an input contains Unicode encoding.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49401 is a high-severity vulnerability in Deno versions 2.7.13 and earlier that allows permission bypass on macOS due to Unicode normalization mismatches.

The issue arises because Deno's permission system compares file paths at the raw-byte level, while macOS's APFS filesystem treats different Unicode spellings of the same path as identical.

This mismatch enables attackers to bypass file access restrictions by using alternate Unicode representations of denied paths, such as different Unicode normalizations, case variations, or ligature characters.

The vulnerability affects the --deny-read, --deny-write, --deny-run, and --deny-ffi flags, allowing unauthorized access to restricted files or execution of denied programs.

It specifically impacts macOS systems with APFS, as other operating systems handle path equivalence differently.

The issue was fixed in Deno version 2.7.14 by normalizing both deny-rule paths and requested paths to NFC and applying Unicode case folding before comparison.

Impact Analysis

This vulnerability can allow an attacker to bypass Deno's permission restrictions on macOS systems using APFS.

By exploiting Unicode normalization mismatches, an attacker could gain unauthorized read, write, execution, or foreign function interface (FFI) access to files or programs that should be denied.

This could lead to unauthorized data access, modification, or execution of malicious code within the Deno runtime environment.

The CVSS score of 7.3 indicates a high severity with relatively low attack complexity and privileges required, making it a significant security risk.

Detection Guidance

This vulnerability arises from the way Deno on macOS compares file paths at the raw-byte level, allowing bypass of permission restrictions by using alternate Unicode representations of denied paths.

To detect if your system is vulnerable, you can check the version of Deno installed and verify if it is earlier than 2.7.14.

Suggested command to check Deno version:

  • deno --version

If the version is 2.7.13 or earlier, your system is vulnerable.

Additionally, to detect attempts to exploit this vulnerability, monitor file access logs or application logs for unusual access patterns involving Unicode variants of restricted paths.

Mitigation Strategies

The primary mitigation is to upgrade Deno to version 2.7.14 or later, where the vulnerability is fixed by normalizing paths and applying Unicode case folding before permission checks.

If immediate upgrade is not possible, it is recommended to avoid relying on denylists (--deny-read, --deny-write, --deny-run, --deny-ffi) on macOS systems.

Instead, use allowlists to restrict permissions and avoid case-sensitive security boundaries.

Compliance Impact

This vulnerability allows attackers to bypass file access restrictions on macOS systems using Deno versions prior to 2.7.14 by exploiting Unicode normalization mismatches. Such unauthorized access to restricted files or execution of denied programs can lead to exposure or modification of sensitive data.

Because regulations like GDPR and HIPAA require strict controls over access to sensitive personal and health information, this vulnerability could undermine compliance by enabling unauthorized data access or processing.

Organizations relying on Deno on macOS without the patch may face increased risk of data breaches or unauthorized actions, potentially violating these standards' requirements for data protection and access control.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49401. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart