crates.io package
deno_runtime
pkg:cargo/deno_runtime
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-48934 | — | < 0.212.0 | 0.212.0 | Jun 4, 2025 | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the `Deno.env.toObject` method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the documentation of the `--deny-env` option this migh | ||
| CVE-2025-48888 | — | >= 0.150.0, < 0.212.0 | 0.212.0 | Jun 4, 2025 | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global una | ||
| CVE-2024-27936 | — | >= 0.103.0, < 0.147.0 | 0.147.0 | Mar 6, 2024 | Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence int | ||
| CVE-2023-33966 | — | >= 0.114.0, < 0.115.0 | 0.115.0 | May 31, 2023 | Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying | ||
| CVE-2023-28446 | — | >= 1.8.0, < 1.31.2 | 1.31.2 | Mar 24, 2023 | Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with an | ||
| CVE-2023-28445 | — | >= 0.102.0, < 0.103.0 | 0.103.0 | Mar 23, 2023 | Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in |
- CVE-2025-48934Jun 4, 2025affected < 0.212.0fixed 0.212.0
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the `Deno.env.toObject` method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the documentation of the `--deny-env` option this migh
- CVE-2025-48888Jun 4, 2025affected >= 0.150.0, < 0.212.0fixed 0.212.0
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global una
- CVE-2024-27936Mar 6, 2024affected >= 0.103.0, < 0.147.0fixed 0.147.0
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence int
- CVE-2023-33966May 31, 2023affected >= 0.114.0, < 0.115.0fixed 0.115.0
Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in `node:http` or `node:https` modules are incorrectly not checked against the network permission allow list (`--allow-net`). Dependencies relying
- CVE-2023-28446Mar 24, 2023affected >= 1.8.0, < 1.31.2fixed 1.31.2
Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with an
- CVE-2023-28445Mar 23, 2023affected >= 0.102.0, < 0.103.0fixed 0.103.0
Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions that are shrunk during the asynchronous operation could result in an out-of-bound read/write. It is unlikely that this has been exploited in