File Access Permissions Bypass in Deno Runtime
CVE-2025-61786

3.3LOW

Key Information:

Vendor

Denoland

Status
Deno
Vendor
CVE Published:
8 October 2025

What is CVE-2025-61786?

A vulnerability in the Deno runtime permits unauthorized retrieval of file statistics, circumventing the permission model. Specifically, Deno.FsFile.prototype.stat and Deno.FsFile.prototype.statSync do not adhere to the expected permission restrictions when the --deny-read=./ flag is applied. This allows users to access file statistics even if they lack explicit read access, raising serious security concerns. The issue has been addressed in Deno versions 2.5.3 and 2.2.15.

Affected Version(s)

deno >= 2.3.0, < 2.5.3 < 2.3.0, 2.5.3

deno < 2.2.15 < 2.2.15

References

https://github.com/denoland/deno/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/denoland/deno/pull/30876
x_refsource_MISC
https://github.com/denoland/deno/commit/1ab2268c0bcbf9b04...
x_refsource_MISC

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61786 : File Access Permissions Bypass in Deno Runtime