{"id":"GHSA-xqxc-x6p3-w683","summary":"Deno run with --allow-read and --deny-read flags results in allowed","details":"### Summary\n\n`deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. Same with all global unary permissions given as `--allow-* --deny-*`.\n\n### Details\n\nCaused by the fast exit logic in #22894.\n\n### PoC\n\nRun the above command expecting no permissions to be passed.\n\n### Impact\n\nThis only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase.","aliases":["CVE-2025-48888"],"modified":"2025-07-02T18:29:57Z","published":"2025-06-04T21:13:44Z","related":["CVE-2025-48888"],"database_specific":{"github_reviewed":true,"github_reviewed_at":"2025-06-04T21:13:44Z","cwe_ids":["CWE-863"],"nvd_published_at":"2025-06-04T20:15:23Z","severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/denoland/deno/security/advisories/GHSA-xqxc-x6p3-w683"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48888"},{"type":"WEB","url":"https://github.com/denoland/deno/pull/22894"},{"type":"WEB","url":"https://github.com/denoland/deno/pull/29213"},{"type":"WEB","url":"https://github.com/denoland/deno/commit/2f0fae9d9071dcaf0a689bc7097584b1b9ebc8db"},{"type":"WEB","url":"https://github.com/denoland/deno/commit/9d665572d3cd39f997e29e6daac7c1102fc5c04f"},{"type":"WEB","url":"https://github.com/denoland/deno/commit/ef315b56c26c9ef5f25284a5100d2ed525a148cf"},{"type":"PACKAGE","url":"https://github.com/denoland/deno"}],"affected":[{"package":{"name":"deno","ecosystem":"crates.io","purl":"pkg:cargo/deno"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.41.3"},{"fixed":"2.1.13"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-xqxc-x6p3-w683/GHSA-xqxc-x6p3-w683.json"}},{"package":{"name":"deno","ecosystem":"crates.io","purl":"pkg:cargo/deno"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.2.0"},{"fixed":"2.2.13"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-xqxc-x6p3-w683/GHSA-xqxc-x6p3-w683.json"}},{"package":{"name":"deno","ecosystem":"crates.io","purl":"pkg:cargo/deno"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.3.0"},{"fixed":"2.3.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-xqxc-x6p3-w683/GHSA-xqxc-x6p3-w683.json"}},{"package":{"name":"deno_runtime","ecosystem":"crates.io","purl":"pkg:cargo/deno_runtime"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.150.0"},{"fixed":"0.212.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-xqxc-x6p3-w683/GHSA-xqxc-x6p3-w683.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}]}