VYPR
advisoryPublished Jun 17, 2026· Updated Jun 18, 2026· 1 source

Deno: Nine CVEs Disclosed in 24 Hours — Sandbox Bypasses, Command Injection, and Crypto Flaw

Key findings • Nine CVEs disclosed in a 24-hour window across nearly every Deno subsystem • Five bugs directly bypass Deno's permission model (filesystem, network, env) • CVE-2026-49402 a…

Key findings

  • Nine CVEs disclosed in a 24-hour window across nearly every Deno subsystem
  • Five bugs directly bypass Deno's permission model (filesystem, network, env)
  • CVE-2026-49402 allows command injection on Windows via shell metacharacters
  • CVE-2026-49440: crypto.checkPrime() runs zero Miller-Rabin rounds by default
  • CVE-2026-49401: Unicode normalization mismatch on macOS APFS bypasses deny rules
  • No coordinated patch released yet; users should monitor Deno releases

On June 16–17, 2026, Denoland disclosed nine distinct security vulnerabilities in the Deno runtime, spanning sandbox escapes, permission bypasses, command injection, and a cryptographic weakness. The batch, published over a 24-hour window, touches nearly every subsystem of the JavaScript/TypeScript runtime — from the permission model and WebSocket handling to Node.js compatibility layers and the crypto module. Several of the bugs allow a malicious actor to bypass Deno's core security guarantees, making this one of the most consequential coordinated disclosures in the project's history.

Permission Bypass via Unicode Normalization (CVE-2026-49401)

On macOS, Deno's filesystem permission checks compared paths at the raw-byte level, but the APFS filesystem performs Unicode normalization before resolving paths. This mismatch allowed an attacker to craft a path that bypassed --deny-read, --deny-write, --deny-run, or --deny-ffi restrictions by using a different Unicode representation of the same file name. The result is a sandbox escape on macOS systems.

BYONM Module Resolution Path Traversal (CVE-2026-49406)

When Deno runs in "bring your own node_modules" mode (nodeModulesDir: "manual"), the module resolver did not validate that a package's resolved entrypoint stayed within its node_modules/<pkg>/ directory. A malicious package.json with .. segments in the main field could resolve to an arbitrary path on disk, bypassing --allow-read restrictions.

Network Permission Bypasses (CVE-2026-49411, CVE-2026-49860, CVE-2026-49859)

Three CVEs target Deno's network sandbox. CVE-2026-49411 concerns the Node.js TCPWrap API, where numeric hostname aliases (such as 127.0.0.2) were not checked against --deny-net rules that apply to resolved IP addresses, allowing a bypass of loopback restrictions. CVE-2026-49860 and CVE-2026-49859 share the same root cause: the WebSocket API and fetch() API respectively checked the destination hostname against --deny-net rules but did not re-check the resolved IP addresses. An attacker-controlled script could use a domain that passes the hostname check yet resolves to a denied IP, bypassing network restrictions.

Command Injection on Windows (CVE-2026-49402)

Deno's node:child_process implementation provided an escapeShellArg() helper used when callers passed shell: true to spawn / spawnSync / exec. On Windows, the helper failed to quote arguments containing cmd.exe metacharacters such as &, |, <, >, ^, !, (, ), and others. This allowed command injection when a Deno program passed untrusted input to a shell command on Windows.

Environment Permission Bypass (CVE-2026-49983)

process.loadEnvFile(), the Node-compatible API for loading .env files, bypassed Deno's environment permission checks entirely. A program with only --allow-env=FOO,BAR (or even --deny-env) could call loadEnvFile() to read and mutate process.env, violating the principle of least privilege.

Cryptographic Weakness (CVE-2026-49440)

node:crypto.checkPrime() and checkPrimeSync() ran zero Miller-Rabin rounds when the caller left options.checks at its default of 0. The only test applied was trial division by primes up to 17,863, meaning composite numbers could be incorrectly classified as prime. This undermines cryptographic operations that rely on primality testing.

WebSocket Denial of Service (CVE-2026-55517)

A Deno program that opens a client WebSocket connection could be crashed by a malicious remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions headers in a way that assumed their bytes were always printable ASCII. Non-ASCII bytes triggered undefined behavior, leading to a denial of service.

Response and Mitigation

Denoland has not yet released a single coordinated patch for all nine CVEs at the time of disclosure. Users are advised to monitor the Deno GitHub repository and the official Deno release notes for version updates. For the permission bypass bugs (CVE-2026-49401, CVE-2026-49406, CVE-2026-49411, CVE-2026-49860, CVE-2026-49859), users should review their --deny-* and --allow-* flags and consider running untrusted code in isolated environments until patches land. The command injection bug (CVE-2026-49402) is Windows-specific; users on that platform should avoid passing untrusted input to shell: true calls. The crypto weakness (CVE-2026-49440) can be mitigated by explicitly setting options.checks to a positive integer.

Why This Batch Matters

This disclosure is notable not only for the sheer number of CVEs but for the breadth of subsystems affected — permission model, module resolution, network sandbox, child process, environment handling, cryptography, and WebSocket. Several of the bugs (CVE-2026-49401, CVE-2026-49406, CVE-2026-49411, CVE-2026-49860, CVE-2026-49859) directly undermine Deno's security model, which is a core selling point of the runtime. Users who rely on Deno's sandbox to run untrusted code should treat this batch with high priority and apply patches as soon as they become available.

Synthesized by Vypr AI