Impact
Deno's Node.js compatibility TCP path performed the permission check on the original hostname string before DNS resolution and did not execute a second check after the hostname had been resolved. Consequently, an attacker could supply a numeric alias that maps to an IP address—such as the decimal 2130706433 or the hexadecimal 0x7f000001, both resolving to 127.0.0.1—when calling node:net.connect or node:http.request with { host, port } options. This bypass of the deny-net permission permits reach to destinations that should have been blocked, enabling unauthorized network access to local services (CWE‑284). The flaw is mitigated in Deno 2.8.0.
Affected Systems
All installations of Denoland Deno older than version 2.8.0 that enable the Node.js compatibility layer and are executed with the '--deny-net' permission are vulnerable. Scripts or modules that use the compatibility APIs node:net or node:http are affected, regardless of whether the caller is direct or indirect. The issue does not impact the native Deno networking APIs.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The exploit requires the attacker to execute or influence code running under Deno; there is no evidence of an external or remote attack vector beyond code execution. The likely attack vector is the injection of malicious network parameters into a Deno application that has been granted deny-net permissions but neglects to properly check resolved IPs. Based on the description, it is inferred that an attacker would need to run or inject code within the Deno runtime (for example, via a compromised script) to use the bypass, after which the application can reach local services that should have been blocked.
OpenCVE Enrichment
Github GHSA