CVE-2026-49859

MEDIUM EPSS 1.3%

Published Jun 23, 20261w ago · Modified Jun 24, 20266d ago

5.2 CVSS 3.1

Medium

Published Jun 23, 2026 1w ago

Last Modified Jun 24, 2026 6d ago

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely. This vulnerability is fixed in 2.8.1.

CVSS Details

Base Score

5.2

Exploitability

2.0

Impact

2.7

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Changed

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

1.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-693

CWE-918 Server-Side Request Forgery (SSRF) Validation

References 1

github.com https://github.com/denoland/deno/security/advisories/GHSA-cpgj-f7g3-2pp2

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.