CVE-2025-48935 MEDIUM

CVE-2025-48935: Deno has --allow-read / --allow-write permission bypass in `node:sqlite`

Vendor Denoland

Product deno

Weakness CWE-863 · Incorrect authorization

Published June 4, 2025

Last update June 4, 2025

View on NVD All CVEs

CVSS base score

5.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using `ATTACH DATABASE` statement. Version 2.2.5 contains a patch for the issue.

Key dates

02Disclosure timeline

June 4, 2025 CVE published

June 4, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-48935 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

04Related CVE

CVE-2026-44330 free5GC: NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions CVE-2026-34507 OpenClaw < 2026.4.29 - Policy Bypass in QQBot Admin Commands via DM-only and allowFrom Checks CVE-2024-8650 Incorrect Authorization in GitLab CVE-2026-53521 Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context CVE-2023-5009 Incorrect Authorization in GitLab