CVE-2025-61785

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-61785

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61785.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-61785

Aliases

GHSA-vg2r-rmgp-cgqj

Published

2025-10-08T00:37:01.869Z

Modified

2025-12-05T10:21:17.699654Z

Severity

3.3 (Low) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Deno's --deny-write check does not prevent permission bypass

Details

Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, Deno.FsFile.prototype.utime and Deno.FsFile.prototype.utimeSync are not limited by the permission model check --deny-write=./. It's possible to change to change the access (atime) and modification (mtime) times on the file stream resource even when the file is opened with read only permission (and write: false) and file write operations are not allowed (the script is executed with --deny-write=./). Similar APIs like Deno.utime and Deno.utimeSync require allow-write permission, however, when a file is opened, even with read only flags and deny-write permission, it's still possible to change the access (atime) and modification (mtime) times, and thus bypass the permission model. Versions 2.5.3 and 2.2.15 fix the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-266"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/61xxx/CVE-2025-61785.json"
}

References

Affected packages

Git / github.com/denoland/deno

Affected ranges

Type

GIT

Repo

https://github.com/denoland/deno

Events

Introduced

61574bb9c9c255d5c661add6c7464af30475c197

Fixed

1c3d04cfaf50a4a0db7a1925c0a73af5ea89bc69

Database specific

{
    "versions": [
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "2.5.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/denoland/deno

Events

Introduced

Fixed

5f6b1329dfd377ff03a389fb32faf73bb966e81d

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.2.15"
        }
    ]
}

Affected versions

std/0.*

std/0.34.0

std/0.35.0

std/0.36.0

std/0.37.0

std/0.38.0

std/0.39.0

std/0.40.0

std/0.41.0

std/0.42.0

std/0.50.0

std/0.51.0

std/0.52.0

std/0.53.0

std/0.54.0

std/0.55.0

std/0.56.0

std/0.57.0

std/0.58.0

std/0.59.0

std/0.60.0

std/0.61.0

std/0.62.0

std/0.63.0

std/0.64.0

std/0.65.0

std/0.66.0

std/0.67.0

std/0.68.0

std/0.69.0

std/0.70.0

std/0.71.0

std/0.72.0

std/0.73.0

std/0.74.0

std/0.75.0

std/0.76.0

std/0.77.0

std/0.78.0

std/0.79.0

std/0.80.0

std/0.81.0

std/0.82.0

std/0.83.0

std/0.84.0

std/0.85.0

v0.*

v0.0.1

v0.0.3

v0.1.0

v0.1.1

v0.1.10

v0.1.11

v0.1.12

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.1.9

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.19.0

v0.2.0

v0.2.1

v0.2.10

v0.2.11

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.2.8

v0.2.9

v0.20.0

v0.21.0

v0.22.0

v0.23.0

v0.24.0

v0.25.0

v0.26.0

v0.27.0

v0.28.0

v0.28.1

v0.29.0

v0.3.0

v0.3.1

v0.3.10

v0.3.11

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.30.0

v0.30.1

v0.31.0

v0.32.0

v0.33.0

v0.34.0

v0.35.0

v0.36.0

v0.37.0

v0.37.1

v0.38.0

v0.39.0

v0.4.0

v0.40.0

v0.41.0

v0.42.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.9.0

v1.*

v1.0.0

v1.0.0-rc1

v1.0.0-rc2

v1.0.0-rc3

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.10.0

v1.10.1

v1.10.3

v1.11.0

v1.11.1

v1.11.2

v1.12.0

v1.12.1

v1.12.2

v1.13.0

v1.13.1

v1.13.2

v1.14.0

v1.14.1

v1.14.2

v1.15.0

v1.15.1

v1.15.2

v1.15.3

v1.16.0

v1.16.1

v1.16.2

v1.17.0

v1.18.0

v1.19.0

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.20.0

v1.20.1

v1.21.0

v1.22.0

v1.23.0

v1.24.0

v1.25.0

v1.26.0

v1.27.0

v1.28.0

v1.29.0

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.30.0

v1.31.0

v1.32.0

v1.33.0

v1.34.0

v1.35.0

v1.36.0

v1.37.0

v1.38.0

v1.39.0

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.40.0

v1.41.0

v1.42.0

v1.43.0

v1.43.1

v1.44.0

v1.45.0

v1.46.0

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.7.4

v1.8.0

v1.8.1

v1.8.2

v1.9.0

v1.9.1

v1.9.2

v2.*

v2.0.0

v2.1.0

v2.2.0

v2.2.1

v2.2.10

v2.2.11

v2.2.12

v2.2.13

v2.2.14

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.5.0

v2.5.1

v2.5.2