Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the `Deno.env.toObject` method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the documentation of the `--deny-env` option this might lead to a false impression that variables listed in the option are impossible to read. Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the `Deno.env.toObject()` method. Versions 2.1.13 and 2.2.13 contains a patch.

INFO

Published Date :

2025-06-04T19:21:17.701Z

Last Modified :

2025-06-04T19:32:14.582Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-48934 vulnerability.

Vendors Products
Deno
  • Deno
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-48934.

URL Resource
https://docs.deno.com/api/deno/~/Deno.Env.toObject cve-icon cve-icon
https://docs.deno.com/runtime/fundamentals/security/#environment-variables cve-icon cve-icon
https://github.com/denoland/deno/commit/2959e083912420988066a001c2b2d6732a1b562f cve-icon cve-icon
https://github.com/denoland/deno/commit/946ccda1aa19a00c478a5e6826b75053b050d753 cve-icon cve-icon
https://github.com/denoland/deno/pull/29079 cve-icon cve-icon
https://github.com/denoland/deno/security/advisories/GHSA-7w8p-chxq-2789 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact