Permission Bypass in Deno JavaScript and TypeScript Runtime
CVE-2025-61785

3.3LOW

Key Information:

Vendor

Denoland

Status
Deno
Vendor
CVE Published:
8 October 2025

What is CVE-2025-61785?

A vulnerability exists in earlier versions of the Deno runtime that allows unauthorized modification of file timestamps. The issue revolves around the inability of the permission model to restrict the modification of access and modification times (atime and mtime) on file stream resources. Even when files are opened with read-only permissions and explicit write denial (--deny-write=./), users can still alter these timestamps. This creates a significant security concern as it bypasses expected permission checks. Versions 2.5.3 and 2.2.15 address this flaw by enforcing permission limitations properly.

Affected Version(s)

deno >= 2.3.0, < 2.5.3 < 2.3.0, 2.5.3

deno < 2.2.15 < 2.2.15

References

https://github.com/denoland/deno/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/denoland/deno/pull/30872
x_refsource_MISC
https://github.com/denoland/deno/commit/992e998dfe436cdc9...
x_refsource_MISC

CVSS V3.0

Score:
3.3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61785 : Permission Bypass in Deno JavaScript and TypeScript Runtime