CVE-2025-48934

Public Exploit
Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the `Deno.env.toObject` method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the documentation of the `--deny-env` option this might lead to a false impression that variables listed in the option are impossible to read. Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the `Deno.env.toObject()` method. Versions 2.1.13 and 2.2.13 contains a patch.

Category

5.5
CVSS
Severity: Medium
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.05%
Vendor Advisory github.com
Affected: denoland deno
Published at:
Updated at:

References

Link Tags
https://github.com/denoland/deno/security/advisories/GHSA-7w8p-chxq-2789 vendor advisory exploit
https://github.com/denoland/deno/pull/29079 issue tracking patch
https://github.com/denoland/deno/commit/2959e083912420988066a001c2b2d6732a1b562f patch
https://github.com/denoland/deno/commit/946ccda1aa19a00c478a5e6826b75053b050d753 patch
https://docs.deno.com/api/deno/~/Deno.Env.toObject product
https://docs.deno.com/runtime/fundamentals/security/#environment-variables product

Frequently Asked Questions

What is the severity of CVE-2025-48934?
CVE-2025-48934 has been scored as a medium severity vulnerability.
How to fix CVE-2025-48934?
To fix CVE-2025-48934, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-48934 being actively exploited in the wild?
It is possible that CVE-2025-48934 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-48934?
CVE-2025-48934 affects denoland deno.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.