JLSEC-2026-109

See a problem?
Please try reporting it to the source first.
Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-109.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-109.json
JSON Data
https://api.osv.dev/v1/vulns/JLSEC-2026-109
Upstream
  • EUVD-2025-16912
Published
2026-04-14T13:10:46.494Z
Modified
2026-04-14T13:31:34.294359049Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Deno run with --allow-read and --deny-read flags results in allowed
Details

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, deno run --allow-read --deny-read main.ts results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions given as --allow-* --deny-*. This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase. Users may upgrade to version 2.1.13, 2.2.13, or 2.3.2 to receive a patch.

Database specific 
{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "id": "CVE-2025-48888",
            "modified": "2025-07-02T14:05:20.353Z",
            "imported": "2026-04-14T12:58:55.127Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-48888",
            "published": "2025-06-04T20:15:23.977Z",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48888"
        },
        {
            "id": "GHSA-xqxc-x6p3-w683",
            "modified": "2025-07-02T18:29:57Z",
            "imported": "2026-04-14T12:58:59.043Z",
            "url": "https://api.github.com/advisories/GHSA-xqxc-x6p3-w683",
            "published": "2025-06-04T21:13:44Z",
            "html_url": "https://github.com/advisories/GHSA-xqxc-x6p3-w683"
        },
        {
            "id": "EUVD-2025-16912",
            "modified": "2025-06-04T19:32:53Z",
            "imported": "2026-04-14T12:58:57.176Z",
            "url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2025-16912",
            "published": "2025-06-04T19:15:55Z",
            "html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-16912"
        }
    ]
}
References
Credits

Affected packages

Julia / Deno_jll

Package

Name
Deno_jll
Purl
pkg:julia/Deno_jll?uuid=04572ae6-984a-583e-9378-9577a1c2574d

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0+0
Fixed
2.6.3+0

Database specific

source 
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-109.json"