CVE Catalog

CVE-2026-49983

MediumCVSS 5.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.10%

1th percentile — higher than 1% of all known CVEs

Summary

In Deno prior to 2.8.1, the process.loadEnvFile() function does not honor environment permission restrictions (--deny-env). It allows writing variables from a .env file into the process even when environment access is denied.

Risk Assessment

An attacker with write access or control over a .env file can bypass --deny-env restrictions and inject arbitrary environment variables, potentially leading to privilege escalation or data leakage.

Recommendation

Update Deno to version 2.8.1 or later immediately. Until updated, avoid using process.loadEnvFile() in environments with restricted environment variable access.

Original NVD description (English source)

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot change process.env. process.loadEnvFile() (the Node-compatible API for loading variables from a .env file) does not honor this. It only checks that the program has read permission for the dotenv file, then writes every key in that file into the process environment — even when env access is denied. In effect, --allow-read plus a writable or attacker-controlled .env file is enough to defeat --deny-env. This vulnerability is fixed in 2.8.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS