CVE-2026-49411

MEDIUM EPSS 1.6%

Published Jun 23, 20261w ago · Modified Jun 23, 20261w ago

6.5 CVSS 3.1

Medium

Published Jun 23, 2026 1w ago

Last Modified Jun 23, 2026 1w ago

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.0, the Node.js compatibility TCP path checked the permission against the original hostname string before resolution and then did not re-check after resolution. A caller could therefore pass a numeric alias of an IP address (for example the decimal integer 2130706433 or the hex form 0x7f000001, both of which resolve to 127.0.0.1) and reach the denied destination through node:net.connect or node:http.request's { host, port } options form. This vulnerability is fixed in 2.8.0.

CVSS Details

Base Score

6.5

Exploitability

2.0

Impact

4.0

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Changed

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

1.6% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-284

References 1

github.com https://github.com/denoland/deno/security/advisories/GHSA-v8fw-85r8-5m23

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.