Security: denoland/deno
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Command Injection via incomplete shell metacharacter blocklist in node:child_process (bypass of CVE-2026-27190 fix)GHSA-4c96-w8v2-p28j published
Mar 12, 2026 by bartlomiejuHigh -
Command Injection via Incomplete shell metacharacter blocklist in `node:child_process`GHSA-hmh4-3xvx-q5hr published
Feb 19, 2026 by bartlomiejuHigh -
`node:crypto` doesn't finalize cipherGHSA-5379-f5hf-w38v published
Jan 15, 2026 by bartlomiejuCritical -
Incomplete fix for command-injection prevention on Windows — case-insensitive extension bypassGHSA-m3c4-prhw-mrx6 published
Jan 15, 2026 by bartlomiejuHigh -
Command Injection on WindowsGHSA-m2gf-x3f6-8hq3 published
Oct 7, 2025 by bartlomiejuHigh -
Deno.FsFile.prototype.utime and Deno.FsFile.prototype.utimeSync --deny-write permission bypassGHSA-vg2r-rmgp-cgqj published
Oct 7, 2025 by bartlomiejuLow -
Deno.FsFile.prototype.stat and Deno.FsFile.prototype.statSyn --deny-read permission bypassGHSA-qq26-84mh-26j9 published
Oct 7, 2025 by bartlomiejuLow -
deno run with --allow-read and --deny-read flags results in allowedGHSA-xqxc-x6p3-w683 published
Jun 3, 2025 by bartlomiejuLow -
Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variablesGHSA-7w8p-chxq-2789 published
Jun 3, 2025 by bartlomiejuModerate -
--allow-read / --allow-write permission bypass in `node:sqlite`GHSA-8vxj-4cph-c596 published
Jun 3, 2025 by bartlomiejuHigh