CVE-2026-49401
HighCVSS 7.3Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
In Deno before version 2.7.14, the permission system compared paths at the raw-byte level while the APFS filesystem on macOS treats different Unicode spellings of the same name as the same file. This allows a program to bypass deny rules by using alternative Unicode spellings.
Risk Assessment
The organization is at risk of unauthorized access to files, code execution, or FFI calls that should be blocked by --deny-read, --deny-write, --deny-run, or --deny-ffi rules.
Recommendation
Update Deno to version 2.7.14 or later immediately, which contains the fix for this vulnerability.
Original NVD description (English source)
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different Unicode spellings of the same name as the same file. That means a program could reach a denied path by spelling it differently than the deny rule. This vulnerability is fixed in 2.7.14.

