CVE-2026-49411
Deno Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.0, the Node.js compatibility TCP path checked the permission against the original hostname string before resolution and then did not re-check after resolution. A caller could therefore pass a numeric alias of an IP address (for example the decimal integer 2130706433 or the hex form 0x7f000001, both of which resolve to 127.0.0.1) and reach the denied destination through node:net.connect or node:http.request's { host, port } options form. This vulnerability is fixed in 2.8.0.
| CWE | CWE-284 |
| Vendor | denoland |
| Product | deno |
| Published | Jun 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for denoland deno
Be the first to know when new medium vulnerabilities affecting denoland deno are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
denoland / deno
< 2.8.0