CVE-2026-49406

MEDIUM 5.5

Deno: BYONM module resolution allows `package.json` main path traversal to bypass `--allow-read` restrictions

CVSS Score

5.5

EPSS Score

0.0%

EPSS Percentile

0th

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.12, when Deno was run in BYONM mode (nodeModulesDir: "manual"), the module resolver did not validate that a package's resolved entrypoint stayed within its node_modules/<pkg>/ directory. A malicious package.json whose main field contained .. segments was able to resolve to an arbitrary path on disk, and the resolver then read that file without consulting the --allow-read allowlist. This let a require("evil-pkg") call return the contents of a file that a direct Deno.readTextFileSync(...) call would have been blocked from reading. This vulnerability is fixed in 2.7.12.

CWE	CWE-22
Vendor	denoland
Product	deno
Published	Jun 23, 2026
Last Updated	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for denoland deno

Be the first to know when new medium vulnerabilities affecting denoland deno are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

denoland / deno

< 2.7.12

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/denoland/deno/security/advisories/GHSA-968w-xfqw-vp9q