216.73.217.98

CVE-2025-48934

· Published 04/06/2025 20:15 · Modified 05/06/2025 20:12

Labels: CVE-2025-48934 2025-06-04CVE-2025-48934CWE-201[email protected]

Essential information

Published
04/06/2025 20:15
Modified
05/06/2025 20:12
Author
Creator
CVSS
5.5 MEDIUM (v3) 5.5 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the `Deno.env.toObject` method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the documentation of the `--deny-env` option this might lead to a false impression that variables listed in the option are impossible to read. Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the `Deno.env.toObject()` method. Versions 2.1.13 and 2.2.13 contains a patch.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
deno / deno cpe:2.3:a:deno:deno:<2.1.13:*:*:*:*:*:*:*
deno / deno cpe:2.3:a:deno:deno:<2.2.13:*:*:*:*:*:*:*

References