CVE-2025-48935 – This vulnerability allows attackers to bypass D... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to bypass Deno's permission system for database read/write operations using the ATTACH DATABASE SQL statement. It affects Deno runtime users running versions 2.2.0 through 2.2.4. Attackers can potentially access or modify database files they shouldn't have permission to touch.

💻 Affected Systems

Products:

Deno

Versions: 2.2.0 through 2.2.4

Operating Systems: All platforms where Deno runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using Deno's built-in SQLite database functionality with permission checks.

📦 What is this software?

Deno by Deno

View all CVEs affecting Deno →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including unauthorized data access, modification, or deletion across all database files accessible to the Deno process.

🟠

Likely Case

Unauthorized read access to sensitive database files containing application data, credentials, or configuration information.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are followed, restricting database file access at OS level.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to execute arbitrary SQL statements in Deno's SQLite environment.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.5

Vendor Advisory: https://github.com/denoland/deno/security/advisories/GHSA-8vxj-4cph-c596

Restart Required: Yes

Instructions:

1. Update Deno using: deno upgrade --version 2.2.5
2. Restart all Deno processes
3. Verify version with: deno --version

🔧 Temporary Workarounds

Disable SQLite database functionality

all

Remove or disable SQLite database operations in vulnerable applications

Restrict file system permissions

linux

Use OS-level permissions to restrict database file access

chmod 600 database_files/*
chown restricted_user:restricted_group database_files/

🧯 If You Can't Patch

Implement strict input validation on all SQL statements
Use external database services instead of Deno's built-in SQLite

🔍 How to Verify

Check if Vulnerable:

Check if Deno version is between 2.2.0 and 2.2.4 inclusive

Check Version:

deno --version

Verify Fix Applied:

Confirm Deno version is 2.2.5 or higher

📡 Detection & Monitoring

Log Indicators:

ATTACH DATABASE statements in SQL logs
Unexpected database file access patterns

Network Indicators:

N/A - local file system vulnerability

SIEM Query:

search 'ATTACH DATABASE' in application logs

📊 Metadata

CVE ID: CVE-2025-48935

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-863

EPSS Score: 0.08% exploit probability (23.4th percentile)

Published: June 4, 2025

Last Updated: July 2, 2025

🔗 References

https://github.com/denoland/deno/commit/31a97803995bd94629528ba841b2418d3ca01860 Patch
https://github.com/denoland/deno/security/advisories/GHSA-8vxj-4cph-c596 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48935, you might also want to check these: