CVE Catalog

CVE-2026-49859

MediumCVSS 5.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

1th percentile — higher than 1% of all known CVEs

Summary

In Deno prior to version 2.8.1, the fetch() function checked the destination hostname against --deny-net rules but did not re-check the resolved IP addresses. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing network restrictions entirely.

Risk Assessment

The organization may be exposed to unauthorized access to internal or restricted network resources via a malicious script running in Deno, potentially leading to data leakage or violation of network security policies.

Recommendation

Immediately update Deno to version 2.8.1 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely. This vulnerability is fixed in 2.8.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS