Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with...

5.2 / 10

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot change process.env. process.loadEnvFile() (the Node-compatible API for loading variables from a .env file) does not honor this. It only checks that the program has read permission for the dotenv file, then writes every key in that file into the process environment — even when env access is denied. In effect, --allow-read plus a writable or attacker-controlled .env file is enough to defeat --deny-env. This vulnerability is fixed in 2.8.1.

Basic Information

ID CVE-2026-49983

Source GitHub_M

Published Jun 23, 2026 at 17:16

Modified Jun 23, 2026 at 17:54

Affected Product

Vendor denoland

Product deno

Version < 2.8.1

Affected Versions denoland deno < 2.8.1

CWE Classification

CWE-863

References

github.com /denoland/deno/security/advisories/GHSA-4c8g-jvcx-v4hv

{
    "lastseen": "",
    "description": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot change process.env. process.loadEnvFile() (the Node-compatible API for loading variables from a .env file) does not honor this. It only checks that the program has read permission for the dotenv file, then writes every key in that file into the process environment \u2014 even when env access is denied. In effect, --allow-read plus a writable or attacker-controlled .env file is enough to defeat --deny-env. This vulnerability is fixed in 2.8.1.",
    "published": "2026-06-23T17:16:17.026Z",
    "modified": "2026-06-23T17:54:51.686Z",
    "type": "cve",
    "title": "Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access",
    "source": "GitHub_M",
    "references": "https://github.com/denoland/deno/security/advisories/GHSA-4c8g-jvcx-v4hv",
    "id": "CVE-2026-49983",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "denoland deno < 2.8.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.2,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "deno",
    "version": "< 2.8.1",
    "vendor": "denoland",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access_CVE-2026-49983