Impact
Prior to Deno 2.7.12, running the runtime in BYONM mode (nodeModulesDir set to "manual") caused the module resolver to bypass validation that a package's entry point remained inside its node_modules/<pkg>/ directory. A malicious package.json whose main field contained .. segments could resolve to an arbitrary path on disk, and the resolver would read that file without consulting the --allow-read allowlist. This allowed a require("evil-pkg") call to return the contents of a file that a direct Deno.readTextFileSync would normally block, effectively granting the Deno process privileged file read access (CWE-22). The vulnerability is fixed in Deno 2.7.12.
Affected Systems
Denoland’s Deno runtime in any version earlier than 2.7.12 when executed in BYONM mode is affected. Versions 2.7.12 and later contain a fix that validates the main entrypoint’s containment within node_modules. The issue only manifests when the nodeModulesDir configuration is set to "manual".
Risk and Exploitability
The CVSS score of 5.5 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. A typical exploitation scenario requires an attacker to provide a crafted npm package that is imported by a Deno script running in BYONM mode. Once the package is loaded, the resolver reads an arbitrary file without respecting read permissions, allowing the attacker to read any file the process can access. Based on the description, it is inferred that the exploit requires local execution, but if the Deno process runs with elevated privileges, the impact can be more severe.
OpenCVE Enrichment
Github GHSA