CVE Catalog

CVE-2026-49401

HighCVSS 7.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

3th percentile — higher than 3% of all known CVEs

Summary

In Deno before version 2.7.14, the permission system compared paths at the raw-byte level while the APFS filesystem on macOS treats different Unicode spellings of the same name as the same file. This allows a program to bypass deny rules by using alternative Unicode spellings.

Risk Assessment

The organization is at risk of unauthorized access to files, code execution, or FFI calls that should be blocked by --deny-read, --deny-write, --deny-run, or --deny-ffi rules.

Recommendation

Update Deno to version 2.7.14 or later immediately, which contains the fix for this vulnerability.

Original NVD description (English source)

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different Unicode spellings of the same name as the same file. That means a program could reach a denied path by spelling it differently than the deny rule. This vulnerability is fixed in 2.7.14.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS