CVE-2025-48934

NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-48934
CWE	https://cwe.mitre.org/data/definitions/201.html

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false impression that variables listed in the option are impossible to read. Software relying on the combination of both flags to allow access to most environment variables except a few sensitive ones will be vulnerable to malicious code trying to steal secrets using the Deno.env.toObject() method. Versions 2.1.13 and 2.2.13 contains a patch.

Weakness

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Potential Mitigations

Compartmentalize the system to have “safe” areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Insertion of Sensitive Information Into Sent Data

Weakness

Potential Mitigations

References

CVE-2025-48934

Insertion of Sensitive Information Into Sent Data

Weakness

Potential Mitigations

Related Attack Patterns

References