CVE-2026-49859
Undergoing Analysis Undergoing Analysis - In Progress
Network Restriction Bypass in Deno Runtime

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely. This vulnerability is fixed in 2.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-49859
EUVD
EUVD-2026-38541
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
deno deno 2.8.1
denoland deno to 2.8.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-49859 affects the Deno runtime's fetch() API. When fetch() was called, Deno checked the destination hostname against --deny-net rules but did not verify the IP addresses that the hostname resolved to. This means an attacker could use a specially crafted domain name that passes the hostname check but resolves to a denied IP address, bypassing the network restrictions entirely.

Impact Analysis

This vulnerability allows an attacker to bypass network restrictions set by the --deny-net flag in Deno. If you run untrusted or third-party code with network restrictions relying on --deny-net, an attacker-controlled script could access restricted IP addresses by using a domain name that passes hostname checks but resolves to blocked IPs. This could lead to unauthorized network access and potential data exposure or other security risks.

Detection Guidance

This vulnerability involves a bypass of network restrictions in the Deno runtime's fetch() API due to missing IP address checks after DNS resolution. Detection would involve monitoring or analyzing network requests made by Deno scripts, especially those using fetch() with --deny-net rules.

Since the issue is related to DNS resolution and IP address checks, one approach is to verify if any fetch() calls are reaching IP addresses that should be blocked by --deny-net but are still accessed. This could be done by capturing network traffic or logging DNS resolutions and comparing them against deny-net rules.

No specific detection commands are provided in the available resources. However, general network monitoring tools like tcpdump or Wireshark can be used to capture outgoing connections from Deno processes. Additionally, inspecting Deno logs or running scripts with verbose network output might help identify suspicious connections.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade the Deno runtime to version 2.8.1 or later, where the vulnerability is fixed.

No workaround exists other than upgrading. Users relying on --deny-net to restrict host access should ensure they are not running vulnerable versions.

Compliance Impact

The vulnerability allows an attacker-controlled script to bypass network restrictions by resolving a domain name to a denied IP address, potentially enabling unauthorized network access.

Such unauthorized access could lead to data exposure or unauthorized communication, which may impact compliance with standards like GDPR or HIPAA that require strict controls over data access and transmission.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart