CVE-2026-49401
7.3
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to –deny-read, –deny-write, –deny-run, or –deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different Unicode spellings of the same name as the same file. That means a program could reach a denied path by spelling it differently than the deny rule. This vulnerability is fixed in 2.7.14.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| denoland | deno | < 2.7.14 | affected |
Weaknesses
- CWE-41: CWE-41: Improper Resolution of Path Equivalence
- CWE-176: CWE-176: Improper Handling of Unicode Encoding
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.