Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2025-61786
Good to know:
Date: October 7, 2025
Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, "Deno.FsFile.prototype.stat" and "Deno.FsFile.prototype.statSync" are not limited by the permission model check "--deny-read=./". It's possible to retrieve stats from files that the user do not have explicit read access to (the script is executed with "--deny-read=./"). Similar APIs like "Deno.stat" and "Deno.statSync" require "allow-read" permission, however, when a file is opened, even with file-write only flags and deny-read permission, it's still possible to retrieve file stats, and thus bypass the permission model. Versions 2.5.3 and 2.2.15 fix the issue.
Severity Score
Related Resources (8)
Severity Score
Weakness Type (CWE)
Improper Privilege Management
CWE-269Top Fix
Upgrade Version
Upgrade to version deno - 2.2.15;deno - 2.5.3;https://github.com/denoland/deno.git - v2.2.15;https://github.com/denoland/deno.git - v2.5.3
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | LOCAL |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | LOW |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | LOW |
| Integrity (I): | NONE |
| Availability (A): | NONE |