Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely. This vulnerability is fixed in 2.8.1.
Published: 2026-06-23
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Before version 2.8.1, Deno's WebSocket API was intended to enforce the --deny-net network restrictions by validating the hostname of an outgoing connection. The implementation, however, failed to re‑check the IP addresses that the hostname resolved to, allowing an attacker to craft a domain that passes the hostname check yet points to a denied IP address. This flaw enabled a sandbox bypass via WebSocket connections, turning the network restrictions into a no‑op. The vulnerability, a DNS rebinding issue (CWE‑918), was corrected in Deno 2.8.1.

Affected Systems

Versions of Deno released before 2.8.1 are vulnerable. The fix was introduced in Deno 2.8.1. All products that run unmodified Deno code prior to that version are impacted.

Risk and Exploitability

The CVSS score of 5.2 indicates moderate severity, and there is no EPSS score or KEV listing, suggesting that zero‑day exploitation data is not known. The attack requires that the attacker be able to execute code that calls the Deno WebSocket API; this could occur in a local script or a compromised web page that the user is allowed to run in Deno. Since the vulnerability allows circumventing the deny‑net restrictions, an attacker who can trigger the WebSocket can potentially access any resource reachable from the host, increasing the impact to confidentiality and availability of internal services. The likely attack vector is a malicious script run within the Deno runtime, or an application that internally invokes the WebSocket API with attacker‑controlled input, inferred from the described behavior.

Generated by OpenCVE AI on June 24, 2026 at 10:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Deno version 2.8.1 or newer to apply the WebSocket host‑check fix.
  • If immediate upgrade is not possible, block outbound network traffic from the Deno process using a firewall or network rules that only allow access to approved IP ranges.
  • Verify that any applications using the WebSocket API perform their own DNS validation or restrict the API to trusted domains in the application logic.

Generated by OpenCVE AI on June 24, 2026 at 10:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-83pc-3rw9-qpwj Deno: WebSocket API sandbox bypass via missing post-DNS check
History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Deno
Deno deno
Vendors & Products Deno
Deno deno

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely. This vulnerability is fixed in 2.8.1.
Title Deno: WebSocket API sandbox bypass via missing post-DNS check
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T17:37:07.624Z

Reserved: 2026-06-01T22:03:19.640Z

Link: CVE-2026-49860

cve-icon Vulnrichment

Updated: 2026-06-23T17:37:04.101Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)