CVE-2026-49860
Undergoing Analysis Undergoing Analysis - In Progress
WebSocket IP Bypass in Deno Runtime

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely. This vulnerability is fixed in 2.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-49860
EUVD
EUVD-2026-38542
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
denoland deno to 2.8.1 (exc)
denoland deno 2.8.1
denoland deno From 2.8.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49860 is a vulnerability in Deno versions 2.8.0 and earlier that affects the WebSocket API. When a WebSocket connection is opened, Deno checks the destination hostname against --deny-net rules but does not re-check the IP addresses that the hostname resolves to.

An attacker can exploit this by using a specially crafted domain name that passes the hostname check but resolves to an IP address that should be denied. This allows the attacker to bypass network restrictions intended to block certain IPs.

This vulnerability effectively allows code running with --deny-net enabled to connect to hosts that were meant to be blocked, such as localhost or internal services, potentially enabling malicious or compromised code to circumvent network isolation.

Compliance Impact

This vulnerability allows an attacker to bypass network restrictions in Deno's WebSocket API, potentially enabling unauthorized connections to internal or restricted hosts.

Such unauthorized network access could lead to exposure or unauthorized transmission of sensitive data, which may impact compliance with data protection standards and regulations like GDPR or HIPAA that require strict controls on data access and network security.

However, the provided information does not explicitly detail the direct impact on compliance with these standards.

Impact Analysis

This vulnerability can impact you by allowing malicious or compromised scripts running in Deno with --deny-net restrictions to bypass those network restrictions.

As a result, such scripts could connect to internal or otherwise restricted network hosts, such as localhost or internal services, which were intended to be inaccessible.

This could lead to unauthorized access to sensitive internal resources, data leakage, or further exploitation within your network environment.

Detection Guidance

This vulnerability involves a bypass of network restrictions in Deno's WebSocket API by exploiting hostname checks that do not verify resolved IP addresses. Detection would involve monitoring WebSocket connections initiated by Deno processes running with --deny-net enabled and verifying if connections are made to IP addresses that should be blocked.

Since the vulnerability allows connections to denied IPs via specially crafted domain names, network monitoring tools could be used to detect unexpected WebSocket connections to internal or localhost IP addresses.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The only effective mitigation for this vulnerability is to upgrade Deno to version 2.8.1 or later, where the issue has been fixed.

No other workarounds or mitigations exist according to the advisory.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart