Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.4
Deno can accidentally grant too much permission to some files
JLSEC-2026-107
Summary
Deno's security settings may not prevent some files from being accessed, which could allow an attacker to do more than they should. This could happen if you're running code that lets Deno read or write to the entire file system. To fix this, Deno 1.43 and later versions require you to explicitly allow access to certain folders, or you can manually add deny flags to previous versions to block access to sensitive files.
What to do
- Update deno_jll to version 2.0.0+0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | deno_jll | <= 2.0.0+0 | 2.0.0+0 |
Original title
Deno permission escalation vulnerability via open of privileged files with missing `--deny` flag
Original description
The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`.
Users who grant read and write access to the entire filesystem may not realize that these access to these files may have additional, unintended consequences. The documentation did not reflect that this practice should be undertaken to increase the strength of the security sandbox.
### Impact
Users who run code with `--allow-read` or `--allow-write` may unexpectedly end up granting additional permissions via file-system operations.
### Patches
Deno 1.43 and above require explicit `--allow-all` access to read or write `/etc`, `/dev` on unix platform (as well as `/proc` and `/sys` on linux platforms), and any path starting with `\\` on Windows.
### Workarounds
The security sandbox in previous versions of Deno allows for denial of access to these files, but it requires an explicit addition of deny flags: `--deny-read=/dev --deny-read=/sys --deny-read=/proc --deny-read=/etc --deny-write=/dev --deny-write=/sys --deny-write=/proc --deny-write=/etc`. Note that symlinks in allowed locations may defeat this protection in earlier versions of Deno.
### Reporters
This vulnerability was reported by a number of analysts. Thanks to [[email protected]](mailto:[email protected]), [[email protected]](mailto:[email protected]), @leesh3288, and @cristianstaicu for their reports and analysis.
Users who grant read and write access to the entire filesystem may not realize that these access to these files may have additional, unintended consequences. The documentation did not reflect that this practice should be undertaken to increase the strength of the security sandbox.
### Impact
Users who run code with `--allow-read` or `--allow-write` may unexpectedly end up granting additional permissions via file-system operations.
### Patches
Deno 1.43 and above require explicit `--allow-all` access to read or write `/etc`, `/dev` on unix platform (as well as `/proc` and `/sys` on linux platforms), and any path starting with `\\` on Windows.
### Workarounds
The security sandbox in previous versions of Deno allows for denial of access to these files, but it requires an explicit addition of deny flags: `--deny-read=/dev --deny-read=/sys --deny-read=/proc --deny-read=/etc --deny-write=/dev --deny-write=/sys --deny-write=/proc --deny-write=/etc`. Note that symlinks in allowed locations may defeat this protection in earlier versions of Deno.
### Reporters
This vulnerability was reported by a number of analysts. Thanks to [[email protected]](mailto:[email protected]), [[email protected]](mailto:[email protected]), @leesh3288, and @cristianstaicu for their reports and analysis.
osv CVSS3.1
8.4
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026