Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely. This vulnerability is fixed in 2.8.1.
Published: 2026-06-23
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deno versions older than 2.8.1 perform hostname checks against the --deny-net policy when fetch() is called but do not re‑verify the IP addresses that hostnames resolve to. An attacker can craft a domain name that satisfies the hostname check while resolving to a disallowed IP, allowing the fetch() request to reach a blocked network destination. This flaw permits an untrusted script to bypass the intended network isolation; it is an example of CWE‑693 (Improper Authorization) and CWE‑918 (Server‑Side Request Forgery).

Affected Systems

The vulnerability affects all installations of the Deno JavaScript/TypeScript/WebAssembly runtime produced by denoland, specifically any version prior to 2.8.1. Users running older Deno binaries that employ the --deny-net network restriction are susceptible and should upgrade.

Risk and Exploitability

The CVSS score of 5.2 indicates moderate severity, and no EPSS score is available, meaning there is limited data on real‑world exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no widely known exploits exist. Based on the description, the likely attack vector is through a malicious or compromised script that invokes fetch(), which can be executed in a sandbox or untrusted environment. The impact is confined to bypassing network restrictions, potentially enabling unauthorized network connections from within the Deno process. The overall risk is moderated by the lack of high exploitation probability or documented attacks.

Generated by OpenCVE AI on June 24, 2026 at 10:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Deno runtime to version 2.8.1 or newer, which contains the necessary DNS resolution check in the fetch() API.
  • If an immediate upgrade is not feasible, supplement the --deny-net policy with external network filtering or a firewall rule that blocks the IP ranges that should not be reachable from the Deno process.
  • Implement a domain validation step in any untrusted code paths, ensuring that hostnames do not resolve to disallowed IP addresses before calling fetch.

Generated by OpenCVE AI on June 24, 2026 at 10:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cpgj-f7g3-2pp2 Deno: `fetch()` API sandbox bypass via missing DNS resolution check
History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Deno
Deno deno
Vendors & Products Deno
Deno deno

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely. This vulnerability is fixed in 2.8.1.
Title Deno: `fetch()` API sandbox bypass via missing DNS resolution check
Weaknesses CWE-693
CWE-918
References
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T14:23:09.068Z

Reserved: 2026-06-01T22:03:19.640Z

Link: CVE-2026-49859

cve-icon Vulnrichment

Updated: 2026-06-24T14:23:04.221Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure

  • CWE-918

    Server-Side Request Forgery (SSRF)