Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.0, the Node.js compatibility TCP path checked the permission against the original hostname string before resolution and then did not re-check after resolution. A caller could therefore pass a numeric alias of an IP address (for example the decimal integer 2130706433 or the hex form 0x7f000001, both of which resolve to 127.0.0.1) and reach the denied destination through node:net.connect or node:http.request's { host, port } options form. This vulnerability is fixed in 2.8.0.
Published: 2026-06-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deno's Node.js compatibility TCP path performed the permission check on the original hostname string before DNS resolution and did not execute a second check after the hostname had been resolved. Consequently, an attacker could supply a numeric alias that maps to an IP address—such as the decimal 2130706433 or the hexadecimal 0x7f000001, both resolving to 127.0.0.1—when calling node:net.connect or node:http.request with { host, port } options. This bypass of the deny-net permission permits reach to destinations that should have been blocked, enabling unauthorized network access to local services (CWE‑284). The flaw is mitigated in Deno 2.8.0.

Affected Systems

All installations of Denoland Deno older than version 2.8.0 that enable the Node.js compatibility layer and are executed with the '--deny-net' permission are vulnerable. Scripts or modules that use the compatibility APIs node:net or node:http are affected, regardless of whether the caller is direct or indirect. The issue does not impact the native Deno networking APIs.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The exploit requires the attacker to execute or influence code running under Deno; there is no evidence of an external or remote attack vector beyond code execution. The likely attack vector is the injection of malicious network parameters into a Deno application that has been granted deny-net permissions but neglects to properly check resolved IPs. Based on the description, it is inferred that an attacker would need to run or inject code within the Deno runtime (for example, via a compromised script) to use the bypass, after which the application can reach local services that should have been blocked.

Generated by OpenCVE AI on June 24, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Deno 2.8.0 or newer where the permission check after hostname resolution is implemented.
  • If an immediate upgrade is not possible, restrict the application to run without the '--deny-net' flag, or limit its network access by explicitly whitelisting only required endpoints.
  • Implement network firewall rules to block connections to loopback addresses from Deno processes.

Generated by OpenCVE AI on June 24, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v8fw-85r8-5m23 Deno: Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks
History

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Deno
Deno deno
Vendors & Products Deno
Deno deno

Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.0, the Node.js compatibility TCP path checked the permission against the original hostname string before resolution and then did not re-check after resolution. A caller could therefore pass a numeric alias of an IP address (for example the decimal integer 2130706433 or the hex form 0x7f000001, both of which resolve to 127.0.0.1) and reach the denied destination through node:net.connect or node:http.request's { host, port } options form. This vulnerability is fixed in 2.8.0.
Title Deno Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:56:10.417Z

Reserved: 2026-05-29T19:08:01.258Z

Link: CVE-2026-49411

cve-icon Vulnrichment

Updated: 2026-06-26T18:55:28.621Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses