CVE-2025-61786: 
Wolfi vulnerability analysis and mitigation

Deno, a JavaScript, TypeScript, and WebAssembly runtime, was found to contain a permission model bypass vulnerability (CVE-2025-61786) in versions prior to 2.5.3 and 2.2.15. The vulnerability allowed users to bypass the --deny-read permission check when using Deno.FsFile.prototype.stat and Deno.FsFile.prototype.statSync methods, enabling retrieval of file statistics even when explicit read access was denied (GitHub Advisory).

The vulnerability exists in the file stat operations where Deno.FsFile.prototype.stat and Deno.FsFile.prototype.statSync methods did not properly enforce permission model checks. When a file was opened with file-write only flags and deny-read permission, it was still possible to retrieve file stats, effectively circumventing the permission model. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (Low) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating local access required with low attack complexity (GitHub Advisory).

The vulnerability allows attackers to bypass permission restrictions and access file statistics for files that should be restricted under the --deny-read permission. While similar APIs like Deno.stat and Deno.statSync properly enforce allow-read permission requirements, this bypass could lead to unauthorized information disclosure about file attributes (GitHub Advisory).

The vulnerability has been patched in Deno versions 2.2.15 and 2.5.3. Users should upgrade to these versions or later to receive the security fix. The fix implements proper permission checks for file stat operations (GitHub Releases, GitHub Releases).