Incorrect Privilege Assignment in Deno - CVE-2025-61785
Published: April 23, 2026
Vulnerability identifier: #VU127062
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-61785
CWE-ID: CWE-266
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Deno Land
Affected software:
Deno
Deno
Detailed vulnerability description
The vulnerability allows a local user to bypass the write permission model and modify file timestamps.
The vulnerability exists due to incorrect privilege assignment in Deno.FsFile.prototype.utime and Deno.FsFile.prototype.utimeSync when operating on an opened file stream resource under --deny-write restrictions. A local user can open a file with read-only permissions and invoke these methods to bypass the write permission model and modify file timestamps.
The issue occurs even when the file is opened with read set to true and write set to false.
How to mitigate CVE-2025-61785
Install security update from vendor's website.