Denial of Network Restrictions in Deno Runtime
CVE-2026-49860

5.2MEDIUM

Key Information:

Vendor: Denoland
Status: Deno
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-49860?

In versions before 2.8.1 of Deno, the JavaScript, TypeScript, and WebAssembly runtime, a security flaw was identified regarding the handling of WebSocket connections. Specifically, when a WebSocket connection was initiated, Deno performed a hostname check against its --deny-net rules. However, it failed to verify the actual IP addresses that the hostname resolved to. This oversight enabled an attacker to exploit the vulnerability by utilizing a crafted domain that passed the initial hostname check while linking to a prohibited IP address, thus circumventing the intended network restrictions. This issue has been mitigated in the subsequent release, version 2.8.1.

Affected Version(s)

deno < 2.8.1

References

https://github.com/denoland/deno/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 1, 2026

CVE-2026-49860 Data

JSON

Denoland

What is CVE-2026-49860?

Affected Version(s)

References

CVSS V3.1

Timeline