CVE-2026-49859
Analyzed Analyzed - Analysis Complete

Network Restriction Bypass in Deno Runtime

Vulnerability report for CVE-2026-49859, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely. This vulnerability is fixed in 2.8.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-29
Generated
2026-07-14
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-12
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
deno deno to 2.8.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-49859 affects the Deno runtime's fetch() API. When fetch() was called, Deno checked the destination hostname against --deny-net rules but did not verify the IP addresses that the hostname resolved to. This means an attacker could use a specially crafted domain name that passes the hostname check but resolves to a denied IP address, bypassing the network restrictions entirely.

Compliance Impact

The vulnerability allows an attacker-controlled script to bypass network restrictions by resolving a domain name to a denied IP address, potentially enabling unauthorized network access.

Such unauthorized access could lead to data exposure or unauthorized communication, which may impact compliance with standards like GDPR or HIPAA that require strict controls over data access and transmission.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Impact Analysis

This vulnerability allows an attacker to bypass network restrictions set by the --deny-net flag in Deno. If you run untrusted or third-party code with network restrictions relying on --deny-net, an attacker-controlled script could access restricted IP addresses by using a domain name that passes hostname checks but resolves to blocked IPs. This could lead to unauthorized network access and potential data exposure or other security risks.

Detection Guidance

This vulnerability involves a bypass of network restrictions in the Deno runtime's fetch() API due to missing IP address checks after DNS resolution. Detection would involve monitoring or analyzing network requests made by Deno scripts, especially those using fetch() with --deny-net rules.

Since the issue is related to DNS resolution and IP address checks, one approach is to verify if any fetch() calls are reaching IP addresses that should be blocked by --deny-net but are still accessed. This could be done by capturing network traffic or logging DNS resolutions and comparing them against deny-net rules.

No specific detection commands are provided in the available resources. However, general network monitoring tools like tcpdump or Wireshark can be used to capture outgoing connections from Deno processes. Additionally, inspecting Deno logs or running scripts with verbose network output might help identify suspicious connections.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade the Deno runtime to version 2.8.1 or later, where the vulnerability is fixed.

No workaround exists other than upgrading. Users relying on --deny-net to restrict host access should ensure they are not running vulnerable versions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart