{"id":"CVE-2025-48888","summary":"Deno run with --allow-read and --deny-read flags results in allowed","details":"Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as `--allow-* --deny-*`. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch.","aliases":["GHSA-xqxc-x6p3-w683"],"modified":"2026-04-10T05:28:51.668840Z","published":"2025-06-04T19:15:55.041Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48888.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-863"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48888.json"},{"type":"ADVISORY","url":"https://github.com/denoland/deno/security/advisories/GHSA-xqxc-x6p3-w683"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48888"},{"type":"FIX","url":"https://github.com/denoland/deno/commit/2f0fae9d9071dcaf0a689bc7097584b1b9ebc8db"},{"type":"FIX","url":"https://github.com/denoland/deno/commit/9d665572d3cd39f997e29e6daac7c1102fc5c04f"},{"type":"FIX","url":"https://github.com/denoland/deno/commit/ef315b56c26c9ef5f25284a5100d2ed525a148cf"},{"type":"FIX","url":"https://github.com/denoland/deno/pull/22894"},{"type":"FIX","url":"https://github.com/denoland/deno/pull/29213"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/denoland/deno","events":[{"introduced":"0d7662e1556a60bcc4b7075752fb2c2842b1afea"},{"fixed":"5b85bdaf88e36a1fcae3e442d96f026e4e1f9b92"}],"database_specific":{"versions":[{"introduced":"1.41.3"},{"fixed":"2.1.13"}]}},{"type":"GIT","repo":"https://github.com/denoland/deno","events":[{"introduced":"29688168631edb677a444ba3cd02b2be21304a1f"},{"fixed":"0117f27aef98e1bf9a8689fe5ab6b03b5a1453f7"}],"database_specific":{"versions":[{"introduced":"2.2.0"},{"fixed":"2.2.13"}]}},{"type":"GIT","repo":"https://github.com/denoland/deno","events":[{"introduced":"61574bb9c9c255d5c661add6c7464af30475c197"},{"fixed":"7b74f385396bded16f99db64b97aa48e6f603f16"}],"database_specific":{"versions":[{"introduced":"2.3.0"},{"fixed":"2.3.2"}]}}],"versions":["v2.2.0","v2.2.1","v2.2.10","v2.2.11","v2.2.12","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.8","v2.2.9","v2.3.0","v2.3.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48888.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}]}