GHSA-968W-XFQW-VP9Q

Vulnerability from github – Published: 2026-06-16 19:11 – Updated: 2026-06-16 19:11
VLAI
Summary
Deno: BYONM module resolution allows `package.json` main path traversal to bypass `--allow-read` restrictions
Details

Summary

When Deno was run in BYONM mode (nodeModulesDir: "manual"), the module resolver did not validate that a package's resolved entrypoint stayed within its node_modules/<pkg>/ directory. A malicious package.json whose main field contained .. segments was able to resolve to an arbitrary path on disk, and the resolver then read that file without consulting the --allow-read allowlist. This let a require("evil-pkg") call return the contents of a file that a direct Deno.readTextFileSync(...) call would have been blocked from reading.

Details

In BYONM mode, Deno resolved npm packages directly from a user-managed node_modules tree. Resolution of require("pkg") proceeded by reading pkg/package.json, taking the main field, joining it to the package directory, and loading the result as a module.

The path joined from main was not constrained to the package root. A package.json such as:

{ "main": "../../../secret.json" }

resolved to node_modules/pkg/../../../secret.json, escaping node_modules entirely. The BYONM permission check accepted any path that contained a node_modules component and did not reject .. traversal, so the resolved path was loaded without a read-permission check.

Because resolution loaded JSON entrypoints by parsing their contents and returning them through require, this exposed the contents of arbitrary .json files reachable by the OS user to the requiring code, even when --allow-read had been narrowed to a specific directory.

The same file accessed via Deno.readTextFileSync was correctly blocked. The bug was that module resolution did not enforce the same read-permission boundary that the filesystem APIs enforced.

Proof of concept

The reporter supplied a self-contained PoC. Layout:

/tmp/deno_byonm_poc/
├── app/
│   ├── deno.json            (BYONM enabled)
│   ├── exploit.ts           (require("evil-pkg"))
│   └── node_modules/
│       └── evil-pkg/
│           └── package.json (main: "../../../secret.json")
└── secret.json              (outside --allow-read scope)

Run:

deno run --no-prompt --allow-read=/tmp/deno_byonm_poc/app exploit.ts

Observed:

  • Deno.readTextFileSync("/tmp/deno_byonm_poc/secret.json") — blocked, as expected.
  • require("evil-pkg") — returned the parsed contents of secret.json, bypassing the read allowlist.

A control run with BYONM disabled (--no-config) blocked the require call.

Impact

The vulnerability allowed a hostile npm package installed under a BYONM node_modules to read JSON files outside the directories granted via --allow-read, up to the privileges of the OS user running Deno. In practice this exposed configuration and credential files (.env.json, cloud credentials, package lockfiles, etc.) that the user had deliberately excluded from the read scope.

The vulnerability did not grant any capability beyond what the OS user already held, did not affect runs that granted unrestricted --allow-read, and required the user to have installed and then required a hostile package, i.e. an existing supply-chain compromise. The reason it warranted a security advisory rather than a routine bug fix is that Deno's permission model promised that --allow-read=<scope> was a hard boundary even over untrusted npm code, and that promise was broken.

Not affected:

  • Runs without BYONM (default npm resolution went through a separate code path that rejected the traversal).
  • Runs with full --allow-read (no boundary to bypass).
  • Non-JSON entrypoints, in practice — .js/.cjs/.mjs targets executed rather than exposing file contents, which already implied attacker code execution within the granted permission set.

Workarounds

Users on unpatched versions could mitigate by:

  • Avoiding BYONM mode (nodeModulesDir: "manual") for projects that depended on untrusted packages.
  • Auditing package.json main fields in node_modules for .. segments before running.
  • Granting --allow-read only when the read scope already covered every file the OS user could see (in which case there was no boundary to bypass and no additional exposure).
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.7.11"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T19:11:26Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nWhen Deno was run in BYONM mode (`nodeModulesDir: \"manual\"`), the module resolver did not validate that a package\u0027s resolved entrypoint stayed within its `node_modules/\u003cpkg\u003e/` directory. A malicious `package.json` whose `main` field contained `..` segments was able to resolve to an arbitrary path on disk, and the resolver then read that file without consulting the `--allow-read` allowlist. This let a `require(\"evil-pkg\")` call return the contents of a file that a direct `Deno.readTextFileSync(...)` call would have been blocked from reading.\n\n## Details\n\nIn BYONM mode, Deno resolved npm packages directly from a user-managed `node_modules` tree. Resolution of `require(\"pkg\")` proceeded by reading `pkg/package.json`, taking the `main` field, joining it to the package directory, and loading the result as a module.\n\nThe path joined from `main` was not constrained to the package root. A `package.json` such as:\n\n```json\n{ \"main\": \"../../../secret.json\" }\n```\n\nresolved to `node_modules/pkg/../../../secret.json`, escaping `node_modules` entirely. The BYONM permission check accepted any path that contained a `node_modules` component and did not reject `..` traversal, so the resolved path was loaded without a read-permission check.\n\nBecause resolution loaded JSON entrypoints by parsing their contents and returning them through `require`, this exposed the contents of arbitrary `.json` files reachable by the OS user to the requiring code, even when `--allow-read` had been narrowed to a specific directory.\n\nThe same file accessed via `Deno.readTextFileSync` was correctly blocked. The bug was that module resolution did not enforce the same read-permission boundary that the filesystem APIs enforced.\n\n## Proof of concept\n\nThe reporter supplied a self-contained PoC. Layout:\n\n```\n/tmp/deno_byonm_poc/\n\u251c\u2500\u2500 app/\n\u2502   \u251c\u2500\u2500 deno.json            (BYONM enabled)\n\u2502   \u251c\u2500\u2500 exploit.ts           (require(\"evil-pkg\"))\n\u2502   \u2514\u2500\u2500 node_modules/\n\u2502       \u2514\u2500\u2500 evil-pkg/\n\u2502           \u2514\u2500\u2500 package.json (main: \"../../../secret.json\")\n\u2514\u2500\u2500 secret.json              (outside --allow-read scope)\n```\n\nRun:\n\n```bash\ndeno run --no-prompt --allow-read=/tmp/deno_byonm_poc/app exploit.ts\n```\n\nObserved:\n\n- `Deno.readTextFileSync(\"/tmp/deno_byonm_poc/secret.json\")` \u2014 blocked, as\n  expected.\n- `require(\"evil-pkg\")` \u2014 returned the parsed contents of `secret.json`,\n  bypassing the read allowlist.\n\nA control run with BYONM disabled (`--no-config`) blocked the `require` call.\n\n## Impact\n\nThe vulnerability allowed a hostile npm package installed under a BYONM `node_modules` to read JSON files outside the directories granted via `--allow-read`, up to the privileges of the OS user running Deno. In practice this exposed configuration and credential files (`.env.json`, cloud credentials, package lockfiles, etc.) that the user had deliberately excluded from the read scope.\n\nThe vulnerability did not grant any capability beyond what the OS user already held, did not affect runs that granted unrestricted `--allow-read`, and required the user to have installed and then required a hostile package, i.e. an existing supply-chain compromise. The reason it warranted a security advisory rather than a routine bug fix is that Deno\u0027s permission model\npromised that `--allow-read=\u003cscope\u003e` was a hard boundary *even over untrusted npm code*, and that promise was broken.\n\nNot affected:\n\n- Runs without BYONM (default npm resolution went through a separate code\n  path that rejected the traversal).\n- Runs with full `--allow-read` (no boundary to bypass).\n- Non-JSON entrypoints, in practice \u2014 `.js`/`.cjs`/`.mjs` targets executed\n  rather than exposing file contents, which already implied attacker code\n  execution within the granted permission set.\n\n## Workarounds\n\nUsers on unpatched versions could mitigate by:\n\n- Avoiding BYONM mode (`nodeModulesDir: \"manual\"`) for projects that depended\n  on untrusted packages.\n- Auditing `package.json` `main` fields in `node_modules` for `..` segments\n  before running.\n- Granting `--allow-read` only when the read scope already covered every file\n  the OS user could see (in which case there was no boundary to bypass and no\n  additional exposure).",
  "id": "GHSA-968w-xfqw-vp9q",
  "modified": "2026-06-16T19:11:26Z",
  "published": "2026-06-16T19:11:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-968w-xfqw-vp9q"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deno: BYONM module resolution allows `package.json` main path traversal to bypass `--allow-read` restrictions"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…