Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different Unicode spellings of the same name as the same file. That means a program could reach a denied path by spelling it differently than the deny rule. This vulnerability is fixed in 2.7.14.
Published: 2026-06-23
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to version 2.7.14, its permission system enforces filesystem and execution restrictions by comparing requested paths against paths supplied to deny flags such as --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was performed at the raw-byte level while APFS treats different Unicode spellings of the same name as identical. Consequently, a program could reach a denied path by spelling it differently than the deny rule, bypassing the restriction. The issue was addressed in version 2.7.14.

Affected Systems

Deno runtimes installed on macOS systems running APFS and built with a version earlier than 2.7.14. Any user code executed by such installations is potentially affected because the denial rules are bypassed by Unicode‑normalisation differences.

Risk and Exploitability

The CVSS score of 7.3 classifies this as a high‑severity vulnerability. An EPSS score is not available and the issue is not listed in the CISA KEV catalogue. Based on the description, it is inferred that the attack requires local access to the machine and the ability to run or influence Deno code; the attacker creates a path that employs a Unicode representation that differs from the deny rule, and Deno will incorrectly interpret it as a distinct path, thus reaching the forbidden resource. With the vulnerability fixed in version 2.7 of exploitation drops dramatically because the permission checks become consistent across both the operating system and the runtime.

Generated by OpenCVE AI on June 24, 2026 at 10:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Deno version 2.7.14 or later to receive the security fix
  • If an upgrade cannot be performed immediately, isolate Deno processes from untrusted code and avoid relying on permission flags that originate from external scripts
  • Verify that any hard‑coded paths in your application are explicitly normalised to the same form used by the deny rules, or avoid using permission flags that specify paths entirely

Generated by OpenCVE AI on June 24, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8xpq-cjcf-3wh9 Deno: Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)
History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Deno
Deno deno
Vendors & Products Deno
Deno deno

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different Unicode spellings of the same name as the same file. That means a program could reach a denied path by spelling it differently than the deny rule. This vulnerability is fixed in 2.7.14.
Title Deno Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)
Weaknesses CWE-176
CWE-41
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T17:35:51.803Z

Reserved: 2026-05-29T19:08:01.256Z

Link: CVE-2026-49401

cve-icon Vulnrichment

Updated: 2026-06-23T17:35:48.716Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-176

    Improper Handling of Unicode Encoding

  • CWE-41

    Improper Resolution of Path Equivalence