CVE-2025-61786: 
Rust vulnerability analysis and mitigation

CVE-2025-61786 affects Deno, a JavaScript, TypeScript, and WebAssembly runtime. The vulnerability was discovered in versions prior to 2.5.3 and 2.2.15, where Deno.FsFile.prototype.stat and Deno.FsFile.prototype.statSync methods were not properly limited by the permission model check --deny-read=./. The vulnerability was disclosed on October 7, 2025, and has been assigned a CVSS v3.1 base score of 3.3 (Low) (GitHub Advisory, NVD).

The vulnerability allows bypassing the permission model when using file stat operations. While APIs like Deno.stat and Deno.statSync properly require allow-read permission, the Deno.FsFile.prototype.stat and Deno.FsFile.prototype.statSync methods can retrieve file stats even when a file is opened with file-write only flags and deny-read permission. This creates a security gap where users can access file information despite explicit read access restrictions. The vulnerability is classified as CWE-269 (Improper Privilege Management) with a CVSS v3.1 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

The vulnerability enables unauthorized access to file statistics information. Even when a script is executed with --deny-read=./ restriction, an attacker can still retrieve stats from files that they should not have read access to, effectively bypassing the intended security controls (GitHub Advisory).

The vulnerability has been fixed in Deno versions 2.5.3 and 2.2.15. Users are advised to upgrade to these patched versions to prevent unauthorized access to file statistics. The fix implements proper permission checks for the affected file stat operations (GitHub Release v2.2.15, GitHub Release v2.5.3).