CVE-2025-61785: 
Rust vulnerability analysis and mitigation

CVE-2025-61785 affects Deno, a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, Deno.FsFile.prototype.utime and Deno.FsFile.prototype.utimeSync are not properly limited by the permission model check --deny-write=./. The vulnerability was discovered by researcher dellalibera and was patched in versions 2.5.3 and 2.2.15, released on October 2, 2025 (Deno Release, Deno Advisory).

The vulnerability allows modification of file metadata (access time atime and modification time mtime) on file stream resources even when the file is opened with read-only permission and write operations are denied through the --deny-write=./ flag. While similar APIs like Deno.utime and Deno.utimeSync properly enforce write permissions, the file-specific methods bypass these restrictions. The vulnerability has been assigned a CVSS v3 score of 3.3 (Low) with vector CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (Deno Advisory).

The vulnerability allows attackers to bypass permission restrictions and modify file metadata timestamps even when write access is explicitly denied. While the impact is limited to timestamp modification and doesn't allow actual file content changes, it represents a security model bypass that could potentially be used in more sophisticated attacks (Deno Advisory).

Users should upgrade to Deno version 2.5.3 or 2.2.15 or later, which contain the fix for this vulnerability. The fix implements proper permission checks for the utime and utimeSync methods on file handles (Deno Release).