deno (crates.io) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the crates.io package deno, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (37)
CVE-2022-24783 — CVSS 10.0 (critical): Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an…
CVE-2023-28445 — CVSS 9.9 (critical): Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Resizable ArrayBuffers passed to asynchronous functions…
CVE-2021-32619 — CVSS 9.8 (critical): Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. In Deno versions 1.5.0 to 1.10.1, modules that are…
CVE-2025-48935 — CVSS 9.1 (critical): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass…
CVE-2024-27936 — CVSS 8.8 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of…
CVE-2023-28446 — CVSS 8.8 (high): Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names…
CVE-2023-33966 — CVSS 8.6 (high): Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and deno_runtime 0.114.0, outbound HTTP requests made using the built-in…
CVE-2024-27934 — CVSS 8.4 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe…
CVE-2021-41641 — CVSS 8.4 (high): Deno <=1.14.0 file sandbox does not handle symbolic links correctly. When running Deno with specific write access, the Deno.symlink method…
CVE-2024-34346 — CVSS 8.4 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. The Deno sandbox may be unexpectedly weakened by allowing…
CVE-2024-27933 — CVSS 8.2 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to…
CVE-2026-27190 — CVSS 8.1 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's…
CVE-2026-49402 — CVSS 8.1 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:child_process implementation provided an…
CVE-2025-61787 — CVSS 8.1 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection…
CVE-2026-22864 — CVSS 8.1 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by…
CVE-2026-32260 — CVSS 8.1 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's…
CVE-2026-22863 — CVSS 7.5 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an…
CVE-2023-22499 — CVSS 7.5 (high): Deno is a runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Multi-threaded programs were able to spoof interactive…
CVE-2025-21620 — CVSS 7.5 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to…
CVE-2026-44726 — CVSS 7.4 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could…
CVE-2026-49440 — CVSS 7.4 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, node:crypto.checkPrime(candidate[, options][, callback]) and…
CVE-2026-49401 — CVSS 7.3 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution…
CVE-2024-27935 — CVSS 7.2 (high): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in…
CVE-2026-49411 — CVSS 6.5 (medium): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.0, the Node.js compatibility TCP path checked the permission…
CVE-2024-27931 — CVSS 5.8 (medium): Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*`…
CVE-2026-49406 — CVSS 5.5 (medium): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.12, when Deno was run in BYONM mode (nodeModulesDir: "manual"), the…
CVE-2025-48934 — CVSS 5.3 (medium): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the `Deno.env.toObject` method ignores any…
CVE-2023-26103 — CVSS 5.3 (medium): Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket…
CVE-2025-24015 — CVSS 5.3 (medium): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and…
CVE-2025-48888 — CVSS 5.3 (medium): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2…
CVE-2026-49859 — CVSS 5.2 (medium): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname…
CVE-2026-49860 — CVSS 5.2 (medium): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the…
CVE-2026-49983 — CVSS 5.2 (medium): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny…
CVE-2024-27932 — CVSS 4.6 (medium): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks…
CVE-2026-55517 — CVSS 4.3 (medium): Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be…
CVE-2025-61786 — CVSS 3.3 (low): Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, `Deno.FsFile.prototype.stat` and…
CVE-2025-61785 — CVSS 3.3 (low): Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, `Deno.FsFile.prototype.utime` and…