CVE-2025-48888 – Deno Deny-Read Allow-Read Permission Confusion

CVE ID : CVE-2025-48888

Published : June 4, 2025, 8:15 p.m. | 20 minutes ago

Description : Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run –allow-read –deny-read main.ts` results in allowed, even though ‘deny’ should be stronger. The result is the same with all global unary permissions given as `–allow-* –deny-*`. This only affects a nonsensical combination of flags, so there shouldn’t be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…