Executive Summary

This vulnerability exists in Deno versions prior to 2.8.0 in the Node.js compatibility TCP path. The system checked network permissions against the original hostname string before DNS resolution but did not re-check after resolving the hostname to an IP address.

An attacker could exploit this by passing a numeric alias of an IP address (for example, the decimal 2130706433 or hex 0x7f000001, both resolving to 127.0.0.1) to node:net.connect or node:http.request options. Because the permission check was done only on the original hostname string, the attacker could bypass --deny-net restrictions and reach destinations that should have been blocked.

This issue did not affect native Deno APIs or URL-string variants because they re-checked permissions after resolution or normalized hostnames before checking.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows less-trusted code, such as dependencies, plugins, or attacker-controlled input, to bypass network restrictions and connect to explicitly denied destinations like loopback or private IP addresses.

The impact is primarily on confidentiality, as unauthorized access to restricted network resources can occur. The CVSS score indicates a local attack vector with low complexity and privileges required, but with high confidentiality impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves bypassing network permission checks by using numeric aliases of IP addresses in Node.js compatibility TCP paths within Deno versions prior to 2.8.0.

To detect exploitation attempts on your system or network, you should monitor for network connections or requests that use numeric IP aliases (such as decimal 2130706433 or hex 0x7f000001) instead of standard hostname strings.

Since the issue occurs via node:net.connect or node:http.request options with numeric host values, you can look for suspicious usage of these APIs or unusual numeric host formats in logs or runtime traces.

Specific commands are not provided in the resources, but general detection steps include:

• Inspect application logs or network traffic for numeric IP addresses used as hostnames.
• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze traffic for connections to loopback or private IPs using numeric aliases.
• Audit code or dependencies for usage of node:net.connect or node:http.request with numeric host parameters.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Deno to version 2.8.0 or later, where this vulnerability is fixed.

Additional immediate steps include:

• Use --allow-net allowlists instead of broad --deny-net rules to restrict network access more precisely.
• Validate and sanitize untrusted host input to prevent numeric IP aliases from being used.
• Avoid using Node.js compatibility TCP path options-host forms (node:net.connect or node:http.request with host/port options) in favor of URL-string forms that re-check permissions.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows less-trusted code to bypass network permission restrictions and access explicitly denied destinations, such as loopback or private IP addresses. Such unauthorized access to restricted network resources could lead to exposure of sensitive data or systems.

Because the vulnerability enables unauthorized access to protected network areas, it may impact compliance with standards and regulations like GDPR or HIPAA, which require strict controls over access to sensitive data and systems to ensure confidentiality and prevent unauthorized disclosure.

Mitigations such as upgrading to patched versions, using allowlists, and validating untrusted input are necessary to maintain compliance and reduce the risk of unauthorized access.

Useful 0 Not Useful 0