Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.7
Deno: Untrusted Input Can Bypass Permission Prompt
JLSEC-2026-106
Summary
Deno's permission prompts can be manipulated by an attacker using special terminal sequences. This allows an attacker to bypass Deno's security settings and potentially perform actions that the user did not intend. Update to version 1.42.2 or later to fix this issue.
What to do
- Update deno_jll to version 2.0.0+0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | deno_jll | <= 2.0.0+0 | 2.0.0+0 |
Original title
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. By using ANSI escape sequences and a race between `libc::tcflush(0, libc::TCIFLUSH)` and reading standard input, it's...
Original description
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. By using ANSI escape sequences and a race between `libc::tcflush(0, libc::TCIFLUSH)` and reading standard input, it's possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel to send and get data. For example the `\033[6n` sequence requests the current cursor position. These sequences allow us to append data to the standard input of Deno. This vulnerability allows an attacker to bypass Deno permission policy. This vulnerability is fixed in 1.42.2.
osv CVSS3.1
7.7
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026