Login Sign Up

CVE-2025-48888

5.3 MEDIUM

📋 TL;DR

This CVE describes a permission precedence vulnerability in Deno where 'deny' flags don't properly override 'allow' flags when both are specified for the same permission type. This affects Deno users running scripts with contradictory permission flags, potentially allowing unintended file system or network access.

💻 Affected Systems

Products:
  • Deno
Versions: 1.41.3 to 2.1.12, 2.2.0 to 2.2.12, 2.3.0 to 2.3.1
Operating Systems: All platforms running Deno
Default Config Vulnerable: ✅ No
Notes: Only affects configurations where both --allow-* and --deny-* flags are used for the same permission type (e.g., --allow-read --deny-read).

📦 What is this software?

Deno by Deno

View all CVEs affecting Deno →

Deno by Deno

View all CVEs affecting Deno →

Deno by Deno

View all CVEs affecting Deno →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could exploit contradictory permission configurations to bypass intended security restrictions, potentially gaining unauthorized read/write access to sensitive files or network resources.

🟠

Likely Case

Minimal real-world impact since the vulnerability requires nonsensical contradictory permission flags that most users wouldn't intentionally configure.

🟢

If Mitigated

No impact if users don't use contradictory permission flags or have upgraded to patched versions.

🌐 Internet-Facing: LOW - Requires specific contradictory command-line flags that are unlikely in production deployments.
🏢 Internal Only: LOW - Same as internet-facing; requires intentional contradictory configuration.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to modify Deno command-line arguments with contradictory permission flags.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.13, 2.2.13, or 2.3.2

Vendor Advisory: https://github.com/denoland/deno/security/advisories

Restart Required: No

Instructions:

1. Update Deno using: deno upgrade --version 2.3.2 (or 2.2.13/2.1.13) 2. Verify update with: deno --version

🔧 Temporary Workarounds

Avoid contradictory permission flags

all

Do not use both --allow-* and --deny-* flags for the same permission type in command-line arguments

🧯 If You Can't Patch

  • Review all Deno scripts and ensure no contradictory permission flags are used
  • Implement strict code review for Deno command-line arguments in CI/CD pipelines

🔍 How to Verify

Check if Vulnerable:

Check if running affected version: deno --version and compare to affected ranges

Check Version:

deno --version

Verify Fix Applied:

After update, test with: deno run --allow-read --deny-read -e "console.log('test')" should now properly deny read permission

📡 Detection & Monitoring

Log Indicators:

  • Deno processes running with both --allow-* and --deny-* flags for same permission

SIEM Query:

process.name:"deno" AND (command_line:"--allow-*" AND command_line:"--deny-*")

📊 Metadata

CVE ID: CVE-2025-48888
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-863
EPSS Score: 0.06% exploit probability (18.1th percentile)
Published: June 4, 2025
Last Updated: July 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48888, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)