Impact
Deno versions older than 2.8.1 perform hostname checks against the --deny-net policy when fetch() is called but do not re‑verify the IP addresses that hostnames resolve to. An attacker can craft a domain name that satisfies the hostname check while resolving to a disallowed IP, allowing the fetch() request to reach a blocked network destination. This flaw permits an untrusted script to bypass the intended network isolation; it is an example of CWE‑693 (Improper Authorization) and CWE‑918 (Server‑Side Request Forgery).
Affected Systems
The vulnerability affects all installations of the Deno JavaScript/TypeScript/WebAssembly runtime produced by denoland, specifically any version prior to 2.8.1. Users running older Deno binaries that employ the --deny-net network restriction are susceptible and should upgrade.
Risk and Exploitability
The CVSS score of 5.2 indicates moderate severity, and no EPSS score is available, meaning there is limited data on real‑world exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely known exploits exist. Based on the description, the likely attack vector is through a malicious or compromised script that invokes fetch(), which can be executed in a sandbox or untrusted environment. The impact is confined to bypassing network restrictions, potentially enabling unauthorized network connections from within the Deno process. The overall risk is moderated by the lack of high exploitation probability or documented attacks.
OpenCVE Enrichment
Github GHSA