CVE-2026-49859
MediumCVSS 5.2Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
In Deno prior to version 2.8.1, the fetch() function checked the destination hostname against --deny-net rules but did not re-check the resolved IP addresses. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing network restrictions entirely.
Risk Assessment
The organization may be exposed to unauthorized access to internal or restricted network resources via a malicious script running in Deno, potentially leading to data leakage or violation of network security policies.
Recommendation
Immediately update Deno to version 2.8.1 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP, bypassing the network restriction entirely. This vulnerability is fixed in 2.8.1.

