CVE-2025-48934: Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables
(updated )
The Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false impression that variables listed in the option are impossible to read.
References
- docs.deno.com/api/deno/~/Deno.Env.toObject
- docs.deno.com/runtime/fundamentals/security/
- github.com/advisories/GHSA-7w8p-chxq-2789
- github.com/denoland/deno
- github.com/denoland/deno/commit/2959e083912420988066a001c2b2d6732a1b562f
- github.com/denoland/deno/commit/946ccda1aa19a00c478a5e6826b75053b050d753
- github.com/denoland/deno/pull/29079
- github.com/denoland/deno/security/advisories/GHSA-7w8p-chxq-2789
- nvd.nist.gov/vuln/detail/CVE-2025-48934
Code Behaviors & Features
Detect and mitigate CVE-2025-48934 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →