Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, `Deno.FsFile.prototype.stat` and `Deno.FsFile.prototype.statSync` are not limited by the permission model check `--deny-read=./`. It's possible to retrieve stats from files that the user do not have explicit read access to (the script is executed with `--deny-read=./`). Similar APIs like `Deno.stat` and `Deno.statSync` require `allow-read` permission, however, when a file is opened, even with file-write only flags and deny-read permission, it's still possible to retrieve file stats, and thus bypass the permission model. Versions 2.5.3 and 2.2.15 fix the issue.

INFO

Published Date :

2025-10-08T00:49:42.824Z

Last Modified :

2025-10-08T18:54:33.415Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-61786 vulnerability.

Vendors Products
Deno
  • Deno
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-61786.

URL Resource
https://github.com/denoland/deno/commit/1ab2268c0bcbf9b0468e0e36963f77f8c31c73ec cve-icon cve-icon
https://github.com/denoland/deno/pull/30876 cve-icon cve-icon
https://github.com/denoland/deno/releases/tag/v2.2.15 cve-icon cve-icon
https://github.com/denoland/deno/releases/tag/v2.5.3 cve-icon cve-icon
https://github.com/denoland/deno/security/advisories/GHSA-qq26-84mh-26j9 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact