{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-48934","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-05-28T18:49:07.575Z","datePublished":"2025-06-04T19:21:17.701Z","dateUpdated":"2025-06-04T19:32:14.582Z"},"containers":{"cna":{"title":"Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables","problemTypes":[{"descriptions":[{"cweId":"CWE-201","lang":"en","description":"CWE-201: Insertion of Sensitive Information Into Sent Data","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P","version":"4.0"}}],"references":[{"name":"https://github.com/denoland/deno/security/advisories/GHSA-7w8p-chxq-2789","tags":["x_refsource_CONFIRM"],"url":"https://github.com/denoland/deno/security/advisories/GHSA-7w8p-chxq-2789"},{"name":"https://github.com/denoland/deno/pull/29079","tags":["x_refsource_MISC"],"url":"https://github.com/denoland/deno/pull/29079"},{"name":"https://github.com/denoland/deno/commit/2959e083912420988066a001c2b2d6732a1b562f","tags":["x_refsource_MISC"],"url":"https://github.com/denoland/deno/commit/2959e083912420988066a001c2b2d6732a1b562f"},{"name":"https://github.com/denoland/deno/commit/946ccda1aa19a00c478a5e6826b75053b050d753","tags":["x_refsource_MISC"],"url":"https://github.com/denoland/deno/commit/946ccda1aa19a00c478a5e6826b75053b050d753"},{"name":"https://docs.deno.com/api/deno/~/Deno.Env.toObject","tags":["x_refsource_MISC"],"url":"https://docs.deno.com/api/deno/~/Deno.Env.toObject"},{"name":"https://docs.deno.com/runtime/fundamentals/security/#environment-variables","tags":["x_refsource_MISC"],"url":"https://docs.deno.com/runtime/fundamentals/security/#environment-variables"}],"affected":[{"vendor":"denoland","product":"deno","versions":[{"version":"< 2.1.13","status":"affected"},{"version":">= 2.2.0, < 2.2.13","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2025-06-04T19:21:17.701Z"},"descriptions":[{"lang":"en","value":"Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the `Deno.env.toObject` method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the documentation of the `--deny-env` option this might lead to a false impression that variables listed in the option are impossible to read. Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the `Deno.env.toObject()` method. Versions 2.1.13 and 2.2.13 contains a patch."}],"source":{"advisory":"GHSA-7w8p-chxq-2789","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/denoland/deno/security/advisories/GHSA-7w8p-chxq-2789","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-06-04T19:32:01.410953Z","id":"CVE-2025-48934","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-06-04T19:32:14.582Z"}}]}}