Database Permission Bypass in Deno JavaScript Runtime
CVE-2025-48935

5.5MEDIUM

Key Information:

Vendor: Denoland
Status: Deno
Vendor: CVE Published:; 4 June 2025

What is CVE-2025-48935?

The Deno runtime, designed for JavaScript, TypeScript, and WebAssembly applications, has a vulnerability that allows attackers to bypass the permission checks associated with database read/write operations. This vulnerability can be exploited using the 'ATTACH DATABASE' SQL statement, affecting versions from 2.2.0 up to 2.2.4. A patch has been released in version 2.2.5 to address this critical security flaw, making it essential for users to update their installations promptly.

Affected Version(s)

deno >= 2.2.0, < 2.2.5

References

https://github.com/denoland/deno/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/denoland/deno/commit/31a97803995bd9462...

x_refsource_MISC

CVSS V4

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2025
Vulnerability Reserved
May 28, 2025

Denoland

What is CVE-2025-48935?

Affected Version(s)

References

CVSS V4

Timeline