Impact
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to version 2.7.14, its permission system enforces filesystem and execution restrictions by comparing requested paths against paths supplied to deny flags such as --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was performed at the raw-byte level while APFS treats different Unicode spellings of the same name as identical. Consequently, a program could reach a denied path by spelling it differently than the deny rule, bypassing the restriction. The issue was addressed in version 2.7.14.
Affected Systems
Deno runtimes installed on macOS systems running APFS and built with a version earlier than 2.7.14. Any user code executed by such installations is potentially affected because the denial rules are bypassed by Unicode‑normalisation differences.
Risk and Exploitability
The CVSS score of 7.3 classifies this as a high‑severity vulnerability. An EPSS score is not available and the issue is not listed in the CISA KEV catalogue. Based on the description, it is inferred that the attack requires local access to the machine and the ability to run or influence Deno code; the attacker creates a path that employs a Unicode representation that differs from the deny rule, and Deno will incorrectly interpret it as a distinct path, thus reaching the forbidden resource. With the vulnerability fixed in version 2.7 of exploitation drops dramatically because the permission checks become consistent across both the operating system and the runtime.
OpenCVE Enrichment
Github GHSA