CVE-2025-48934: 
Rust vulnerability analysis and mitigation

CVE-2025-48934 affects Deno, a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command, creating a security vulnerability. The issue was discovered and disclosed on June 4, 2025, and has been assigned a CVSS v4.0 score of 5.5 (Medium) (GHSA Advisory).

The vulnerability stems from a design flaw where the Deno.env.toObject method disregards the --deny-env flag restrictions. When using both --allow-env and --deny-env flags, the toObject method returns all environment variables, including those explicitly denied, effectively bypassing the intended security controls. This behavior contradicts the documentation of the --deny-env option, which suggests that listed variables should be impossible to read (Deno Docs).

The vulnerability allows malicious code to access sensitive environment variables that were intended to be restricted. Software relying on the combination of both flags to allow access to most environment variables except sensitive ones is vulnerable to unauthorized access. Attackers could potentially steal secrets using the Deno.env.toObject() method, even when those secrets are explicitly denied through the --deny-env flag (GHSA Advisory).

The vulnerability has been patched in Deno versions 2.1.13 and 2.2.13. Users should upgrade to these or later versions to receive the fix. The patch ensures that the --deny-env flag takes precedence over --allow-env when using Deno.env.toObject() (GHSA Advisory).