Skip to content

Deno: Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)

Moderate severity GitHub Reviewed Published May 27, 2026 in denoland/deno • Updated Jun 16, 2026

Package

deno (Rust)

Affected versions

<= 2.7.13

Patched versions

2.7.14

Description

Summary

Deno's permission system enforces filesystem and execution restrictions by
comparing the requested path against the path supplied to --deny-read,
--deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was
done at the raw-byte level while the APFS filesystem treats different Unicode
spellings of the same name as the same file.

That means a program could reach a denied path by spelling it differently than
the deny rule. For example, with --deny-read=/secrets/passwörter.txt, a
script could still read the file by opening /secrets/passwo\u0308rter.txt
(NFD instead of NFC), or /SECRETS/PASSWÖRTER.txt (different case, since
default APFS volumes are case-insensitive). Other forms include ligature
characters ( vs fi, vs ff, …) and German ß vs ss.

The denied path and the requested path differed at the byte level, so Deno's
permission check passed; the kernel then resolved them to the same inode and
served the file anyway. The same flaw affected --deny-write, --deny-run,
and --deny-ffi, which share the same path-comparison code.

Am I affected?

You are potentially affected if all of the following are true:

  1. You run Deno on macOS (the issue is specific to APFS path-equivalence
    rules; Linux and Windows are not affected by this variant).
  2. You rely on --deny-read, --deny-write, --deny-run, or --deny-ffi
    as a security boundary against less-trusted code — a dependency, plugin,
    or attacker-controlled input.
  3. The protected path contains characters that have alternate Unicode
    spellings — most commonly accented characters (é, ñ, ö, …), German
    ß, or Latin ligatures — or you rely on case-sensitivity on a default
    APFS volume.

If you only run fully trusted code, or your deny rules cover paths that are
pure ASCII with no case-sensitive aliases, you are not exposed to this
specific bypass.

Impact

A program running with broad --allow-read (or --allow-write /
--allow-run / --allow-ffi) but with --deny-* carve-outs for specific
paths could read, write, execute, or load via FFI those denied paths by
referring to them through a Unicode- or case-equivalent spelling. The sandbox
model on macOS was weaker than the flags suggested.

Workaround

If you cannot upgrade immediately:

  • Prefer --allow-* allowlists over --deny-* denylists. Allow rules match
    against the original specifier, so an attacker-supplied alternate spelling
    will not match a path you didn't explicitly grant.
  • Do not rely on case-sensitivity of paths on macOS for security boundaries;
    default APFS volumes are case-insensitive.

Fix

On macOS, Deno now normalizes both the deny-rule path and the requested path
to NFC and applies Unicode case folding before comparing them. This matches
how APFS resolves paths at the inode level, so byte-different but equivalent
spellings are now rejected by the same deny rule.

References

@bartlomieju bartlomieju published to denoland/deno May 27, 2026
Published to the GitHub Advisory Database Jun 16, 2026
Reviewed Jun 16, 2026
Last updated Jun 16, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(4th percentile)

Weaknesses

Improper Resolution of Path Equivalence

The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object. Learn more on MITRE.

Improper Handling of Unicode Encoding

The product does not properly handle when an input contains Unicode encoding. Learn more on MITRE.

CVE ID

CVE-2026-49401

GHSA ID

GHSA-8xpq-cjcf-3wh9

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.