Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

denoland — Vulnerabilities & Security Advisories 30

Browse all 30 CVE security advisories affecting denoland. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Denoland operates as a technology company specializing in the Deno runtime, a modern JavaScript and TypeScript execution environment designed for server-side and command-line applications. While the runtime itself is robust, its ecosystem and associated tools have historically been subject to various security flaws. Recorded vulnerabilities frequently involve remote code execution, cross-site scripting, and privilege escalation issues, often stemming from improper input validation or insecure default configurations within third-party modules or bundled utilities. These weaknesses can allow attackers to execute arbitrary commands or bypass security controls in affected deployments. Although Deno emphasizes security by default, the complexity of its module registry and the rapid pace of development have led to a notable number of Common Vulnerabilities and Exposures. Organizations utilizing Deno must prioritize regular dependency updates and strict security auditing to mitigate these risks effectively.

Top products by denoland: deno std
CVE IDTitleCVSSSeverityPublished
CVE-2026-32260 Command Injection via incomplete shell metacharacter blocklist in node:child_process (bypass of CVE-2026-27190 fix) — denoCWE-78 8.1 High2026-03-12
CVE-2026-27190 Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process — denoCWE-78 8.1 High2026-02-20
CVE-2026-22864 Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass — denoCWE-77 8.1 High2026-01-15
CVE-2026-22863 Deno node:crypto doesn't finalize cipher — denoCWE-325 7.5 -2026-01-15
CVE-2025-61787 Deno is Vulnerable to Command Injection on Windows During Batch File Execution — denoCWE-77 8.1 High2025-10-08
CVE-2025-61786 Deno's --deny-read check does not prevent permission bypass — denoCWE-269 3.3 Low2025-10-08
CVE-2025-61785 Deno's --deny-write check does not prevent permission bypass — denoCWE-266 5.3AIMediumAI2025-10-08
CVE-2025-55195 @std/toml Prototype Pollution in Node.js and Browser — stdCWE-1321 7.3 High2025-08-14
CVE-2025-48935 Deno has --allow-read / --allow-write permission bypass in `node:sqlite` — denoCWE-863 8.1AIHighAI2025-06-04
CVE-2025-48934 Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables — denoCWE-201 7.5AIHighAI2025-06-04
CVE-2025-48888 Deno run with --allow-read and --deny-read flags results in allowed — denoCWE-863 7.1AIHighAI2025-06-04
CVE-2025-24015 Deno's AES GCM authentication tags are not verified — denoCWE-347 9.8AICriticalAI2025-06-03
CVE-2025-21620 Deno's authorization headers not dropped when redirecting cross-origin — denoCWE-200 7.5 High2025-01-06
CVE-2024-32468 Improper neutralization of input during web page generation ("Cross-site Scripting") in deno_doc HTML generator — denoCWE-79 5.4 Medium2024-11-25
CVE-2024-52793 XSS vulnerability in serveDir API of @std/http/file-server on POSIX systems — stdCWE-79 5.4 -2024-11-22
CVE-2024-37150 Private npm registry support used scope auth token for downloading tarballs — denoCWE-200 7.6 High2024-06-06
CVE-2024-34346 Deno contains a permission escalation via open of privileged files with missing `--deny` flag — denoCWE-863 8.5 High2024-05-07
CVE-2024-32477 Race condition when flushing input stream leads to permission prompt bypass — denoCWE-78 7.7 High2024-04-18
CVE-2024-27936 Deno interactive permission prompt spoofing via improper ANSI stripping — denoCWE-150 8.8 High2024-03-06
CVE-2024-27935 Deno's Node.js Compatibility Runtime has Cross-Session Data Contamination — denoCWE-488 7.2 High2024-03-06
CVE-2024-27934 *const c_void / ExternalPointer unsoundness leading to use-after-free — denoCWE-416 8.4 High2024-03-06
CVE-2024-27933 Deno arbitrary file descriptor close via `op_node_ipc_pipe()` leading to permission prompt bypass — denoCWE-863 8.3 High2024-03-06
CVE-2024-27932 Deno's improper suffix match testing for DENO_AUTH_TOKENS — denoCWE-20 4.6 Medium2024-03-06
CVE-2024-27931 Insufficient permission checking in `Deno.makeTemp*` APIs — denoCWE-20 5.8 Medium2024-03-05
CVE-2023-33966 Deno missing "--allow-net" permission check for built-in Node modules — denoCWE-269 8.6 High2023-05-31
CVE-2023-28446 Deno is vulnerable to interactive `run` permission prompt spoofing via improper ANSI neutralization — denoCWE-150 8.8 High2023-03-24
CVE-2023-28445 Deno improperly handles resizable ArrayBuffer — denoCWE-125 10.0 Critical2023-03-23
CVE-2023-22499 Interactive permission prompt spoofing in Deno — denoCWE-362 7.5 High2023-01-17
CVE-2022-24783 Sandbox bypass leading to arbitrary code execution in Deno — denoCWE-269 10.0 Critical2022-03-25
CVE-2021-32619 Static imports inside dynamically imported modules do not adhere to permission checks — denoCWE-285 9.8 Critical2021-05-28

This page lists every published CVE security advisory associated with denoland. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.