Impact
This vulnerability allows a Deno program to modify process.env even when the env permission is denied. Prior to 2.8.1, environment access is gated by the env permission, which can be denied with --deny-env or restricted with --allow-env. The loadEnvFile() API checks only for read permission on the .env file; it then writes every key from that file into process.env, regardless of the env permission. Consequently, with --allow-read and a writable or attacker-controlled .env file, an application can bypass --deny-env. The flaw falls under CWE‑863 and was fixed in Deno 2.8.1.
Affected Systems
The affected vendor is Denoland, with the Deno runtime. All Deno releases prior to 2.8.1 are impacted. Users running 2.7 or earlier versions, or any release that has not shipped the 2.8.1 patch, are vulnerable to this bypass.
Risk and Exploitability
The CVSS score of 5.2 reflects a moderate severity. The EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. An attacker who allows the program to read a .env file can place arbitrary keys in that file; with --allow-read and --deny-env enabled, the program will still load these keys, effectively subverting the environment permission controls. The attack requires only read access to the .env file, making it straightforward to exploit within a trusted runtime environment.
OpenCVE Enrichment
Github GHSA