Skip to content

Deno: BYONM module resolution allows `package.json` main path traversal to bypass `--allow-read` restrictions

Moderate severity GitHub Reviewed Published May 27, 2026 in denoland/deno • Updated Jun 16, 2026

Package

deno (Rust)

Affected versions

<= 2.7.11

Patched versions

2.7.12

Description

Summary

When Deno was run in BYONM mode (nodeModulesDir: "manual"), the module resolver did not validate that a package's resolved entrypoint stayed within its node_modules/<pkg>/ directory. A malicious package.json whose main field contained .. segments was able to resolve to an arbitrary path on disk, and the resolver then read that file without consulting the --allow-read allowlist. This let a require("evil-pkg") call return the contents of a file that a direct Deno.readTextFileSync(...) call would have been blocked from reading.

Details

In BYONM mode, Deno resolved npm packages directly from a user-managed node_modules tree. Resolution of require("pkg") proceeded by reading pkg/package.json, taking the main field, joining it to the package directory, and loading the result as a module.

The path joined from main was not constrained to the package root. A package.json such as:

{ "main": "../../../secret.json" }

resolved to node_modules/pkg/../../../secret.json, escaping node_modules entirely. The BYONM permission check accepted any path that contained a node_modules component and did not reject .. traversal, so the resolved path was loaded without a read-permission check.

Because resolution loaded JSON entrypoints by parsing their contents and returning them through require, this exposed the contents of arbitrary .json files reachable by the OS user to the requiring code, even when --allow-read had been narrowed to a specific directory.

The same file accessed via Deno.readTextFileSync was correctly blocked. The bug was that module resolution did not enforce the same read-permission boundary that the filesystem APIs enforced.

Proof of concept

The reporter supplied a self-contained PoC. Layout:

/tmp/deno_byonm_poc/
├── app/
│   ├── deno.json            (BYONM enabled)
│   ├── exploit.ts           (require("evil-pkg"))
│   └── node_modules/
│       └── evil-pkg/
│           └── package.json (main: "../../../secret.json")
└── secret.json              (outside --allow-read scope)

Run:

deno run --no-prompt --allow-read=/tmp/deno_byonm_poc/app exploit.ts

Observed:

  • Deno.readTextFileSync("/tmp/deno_byonm_poc/secret.json") — blocked, as
    expected.
  • require("evil-pkg") — returned the parsed contents of secret.json,
    bypassing the read allowlist.

A control run with BYONM disabled (--no-config) blocked the require call.

Impact

The vulnerability allowed a hostile npm package installed under a BYONM node_modules to read JSON files outside the directories granted via --allow-read, up to the privileges of the OS user running Deno. In practice this exposed configuration and credential files (.env.json, cloud credentials, package lockfiles, etc.) that the user had deliberately excluded from the read scope.

The vulnerability did not grant any capability beyond what the OS user already held, did not affect runs that granted unrestricted --allow-read, and required the user to have installed and then required a hostile package, i.e. an existing supply-chain compromise. The reason it warranted a security advisory rather than a routine bug fix is that Deno's permission model
promised that --allow-read=<scope> was a hard boundary even over untrusted npm code, and that promise was broken.

Not affected:

  • Runs without BYONM (default npm resolution went through a separate code
    path that rejected the traversal).
  • Runs with full --allow-read (no boundary to bypass).
  • Non-JSON entrypoints, in practice — .js/.cjs/.mjs targets executed
    rather than exposing file contents, which already implied attacker code
    execution within the granted permission set.

Workarounds

Users on unpatched versions could mitigate by:

  • Avoiding BYONM mode (nodeModulesDir: "manual") for projects that depended
    on untrusted packages.
  • Auditing package.json main fields in node_modules for .. segments
    before running.
  • Granting --allow-read only when the read scope already covered every file
    the OS user could see (in which case there was no boundary to bypass and no
    additional exposure).

References

@bartlomieju bartlomieju published to denoland/deno May 27, 2026
Published to the GitHub Advisory Database Jun 16, 2026
Reviewed Jun 16, 2026
Last updated Jun 16, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(3rd percentile)

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

CVE ID

CVE-2026-49406

GHSA ID

GHSA-968w-xfqw-vp9q

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.