icon

We found results for “

CVE-2025-48934

Good to know:

icon

Date: June 4, 2025

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the "Deno.env.toObject" method ignores any variables listed in the "--deny-env" option of the "deno run" command. When looking at the documentation of the "--deny-env" option this might lead to a false impression that variables listed in the option are impossible to read. Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the "Deno.env.toObject()" method. Versions 2.1.13 and 2.2.13 contains a patch.

Severity Score

Severity Score

Weakness Type (CWE)

Insertion of Sensitive Information Into Sent Data

CWE-201

Top Fix

icon

Upgrade Version

Upgrade to version deno - 2.1.13;deno - 2.2.13;https://github.com/denoland/deno.git - v2.2.13;https://github.com/denoland/deno.git - v2.1.12

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us