CVE-2026-49406
Undergoing Analysis Undergoing Analysis - In Progress
Path Traversal in Deno Runtime

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.12, when Deno was run in BYONM mode (nodeModulesDir: "manual"), the module resolver did not validate that a package's resolved entrypoint stayed within its node_modules/<pkg>/ directory. A malicious package.json whose main field contained .. segments was able to resolve to an arbitrary path on disk, and the resolver then read that file without consulting the --allow-read allowlist. This let a require("evil-pkg") call return the contents of a file that a direct Deno.readTextFileSync(...) call would have been blocked from reading. This vulnerability is fixed in 2.7.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-49406
EUVD
EUVD-2026-38545
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
denoland deno to 2.7.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49406 is a vulnerability in Deno versions 2.7.11 and earlier when running in BYONM (Bring Your Own Node Modules) mode. The module resolver does not properly validate the paths specified in a package's package.json main field. This allows a malicious package.json to use path traversal sequences (like "..") to resolve to arbitrary files outside the intended package directory.

As a result, the resolver reads files from arbitrary locations on disk without checking the --allow-read permission allowlist, which normally restricts file reads. This means that a require("evil-pkg") call can return the contents of files that would otherwise be blocked from reading by Deno's security model.

This vulnerability is fixed in Deno version 2.7.12.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive files on the system where Deno is running. An attacker can craft a malicious package.json that causes Deno to read and expose files outside the intended package directory, bypassing the usual read permission restrictions.

This can result in leakage of confidential information, such as configuration files, secrets, or other sensitive data that should not be accessible to untrusted code.

The impact is moderate with a CVSS score of 5.5, requiring local privileges and user interaction is not needed, but it can compromise confidentiality.

Detection Guidance

This vulnerability can be detected by auditing the `package.json` files in your node modules to check if the main field contains path traversal segments such as ".." that resolve outside the package directory.

Specifically, look for entries in `package.json` files where the main field points to paths like "../../../secret.json" or other relative paths that escape the node_modules/<pkg>/ directory.

Since the vulnerability involves the module resolver reading files outside allowed directories, you can also monitor or log Deno module resolution attempts that access files outside expected paths.

While no explicit commands are provided, a suggested approach is to use file search commands to find suspicious package.json main fields, for example:

  • grep -r '"main".*\.\.' node_modules/
  • find node_modules/ -name 'package.json' -exec grep -H '"main"' {} \; | grep '\.\.'
Mitigation Strategies

Immediate mitigation steps include:

  • Avoid running Deno in BYONM (Bring Your Own Node Modules) mode until you upgrade to version 2.7.12 or later.
  • Upgrade Deno to version 2.7.12 or later where this vulnerability is fixed.
  • Audit all `package.json` files in your node modules for malicious or suspicious main fields that contain path traversal sequences.
  • Consider granting unrestricted `--allow-read` permissions if appropriate, as the vulnerability does not affect runs with full `--allow-read` permissions.
Compliance Impact

This vulnerability allows a malicious package to bypass read permission restrictions and access arbitrary files on disk, potentially exposing sensitive data that should be protected.

Such unauthorized access to sensitive files could lead to violations of data protection regulations like GDPR or HIPAA, which require strict controls over access to personal or protected health information.

Therefore, if exploited, this vulnerability could compromise compliance with these standards by enabling unauthorized data disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49406. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart