Server-side Request Forgery (SSRF) Affecting deno package, versions <2.8.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.11% (2nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-DENO-17660660
  • published27 Jun 2026
  • disclosed16 Jun 2026
  • creditUnknown

Introduced: 16 Jun 2026

NewCVE-2026-49860  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade deno to version 2.8.1 or higher.

Overview

deno is an a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the WebSocket connection process. An attacker can bypass network isolation rules and access restricted hosts by using a specially crafted domain name that passes the hostname check but resolves to a denied IP address. This is only exploitable if untrusted or third-party code is run with network restrictions enforced by --deny-net.

References

CVSS Base Scores

version 4.0
version 3.1