Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables
Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false impression that variables listed in the option are impossible to read. Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the Deno.env.toObject() method. Versions 2.1.13 and 2.2.13 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
denocrates.io | < 2.1.13 | 2.1.13 |
denocrates.io | >= 2.2.0, < 2.2.13 | 2.2.13 |
deno_runtimecrates.io | < 0.212.0 | 0.212.0 |
Affected products
1Patches
2946ccda1aa19fix: make --allow-env stronger that --deny-env (#29079)
4 files changed · +31 −1
runtime/permissions/lib.rs+18 −1 modified@@ -1912,7 +1912,7 @@ impl UnaryPermission<EnvQueryDescriptor> { pub fn check_all(&mut self) -> Result<(), PermissionDeniedError> { skip_check_if_is_permission_fully_granted!(self); - self.check_desc(None, false, None) + self.check_desc(None, true, None) } } @@ -5215,4 +5215,21 @@ mod tests { ); } } + + #[test] + fn test_env_check_all() { + set_prompter(Box::new(TestPrompter)); + let parser = TestPermissionDescriptorParser; + let mut perms = Permissions::from_options( + &parser, + &PermissionsOptions { + allow_env: Some(vec![]), + deny_env: Some(svec!["FOO"]), + ..Default::default() + }, + ) + .unwrap(); + + assert!(perms.env.check_all().is_err()); + } }
tests/specs/run/permission_env_allow_and_deny/main.out+4 −0 added@@ -0,0 +1,4 @@ +error: Uncaught (in promise) NotCapable: Requires env access, run again with the --allow-env flag +console.log(Deno.env.toObject()); + ^ +[WILDCARD]main.ts:1:22
tests/specs/run/permission_env_allow_and_deny/main.ts+1 −0 added@@ -0,0 +1 @@ +console.log(Deno.env.toObject());
tests/specs/run/permission_env_allow_and_deny/__test__.jsonc+8 −0 added@@ -0,0 +1,8 @@ +{ + "args": "run --allow-env --deny-env=FOOBAR main.ts", + "output": "main.out", + "exitCode": 1, + "envs": { + "FOOBAR": "FOOBAR" + } +}
2959e0839124fix: make --allow-env stronger that --deny-env (#29079)
4 files changed · +31 −1
runtime/permissions/lib.rs+18 −1 modified@@ -1944,7 +1944,7 @@ impl UnaryPermission<EnvQueryDescriptor> { pub fn check_all(&mut self) -> Result<(), PermissionDeniedError> { skip_check_if_is_permission_fully_granted!(self); - self.check_desc(None, false, None) + self.check_desc(None, true, None) } } @@ -5263,4 +5263,21 @@ mod tests { ); } } + + #[test] + fn test_env_check_all() { + set_prompter(Box::new(TestPrompter)); + let parser = TestPermissionDescriptorParser; + let mut perms = Permissions::from_options( + &parser, + &PermissionsOptions { + allow_env: Some(vec![]), + deny_env: Some(svec!["FOO"]), + ..Default::default() + }, + ) + .unwrap(); + + assert!(perms.env.check_all().is_err()); + } }
tests/specs/run/permission_env_allow_and_deny/main.out+4 −0 added@@ -0,0 +1,4 @@ +error: Uncaught (in promise) NotCapable: Requires env access, run again with the --allow-env flag +console.log(Deno.env.toObject()); + ^ +[WILDCARD]main.ts:1:22
tests/specs/run/permission_env_allow_and_deny/main.ts+1 −0 added@@ -0,0 +1 @@ +console.log(Deno.env.toObject());
tests/specs/run/permission_env_allow_and_deny/__test__.jsonc+8 −0 added@@ -0,0 +1,8 @@ +{ + "args": "run --allow-env --deny-env=FOOBAR main.ts", + "output": "main.out", + "exitCode": 1, + "envs": { + "FOOBAR": "FOOBAR" + } +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-7w8p-chxq-2789ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-48934ghsaADVISORY
- docs.deno.com/api/deno/~/Deno.Env.toObjectghsax_refsource_MISCWEB
- docs.deno.com/runtime/fundamentals/security/ghsax_refsource_MISCWEB
- github.com/denoland/deno/commit/2959e083912420988066a001c2b2d6732a1b562fghsax_refsource_MISCWEB
- github.com/denoland/deno/commit/946ccda1aa19a00c478a5e6826b75053b050d753ghsax_refsource_MISCWEB
- github.com/denoland/deno/pull/29079ghsax_refsource_MISCWEB
- github.com/denoland/deno/security/advisories/GHSA-7w8p-chxq-2789ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.