Deno is a secure runtime for JavaScript, TypeScript, and WebAssembly that enforces a permission model to restrict file system access. In affected versions prior to 2.5.3 and 2.2.15, the methods Deno.FsFile.prototype.stat and statSync do not properly enforce the --deny-read permission flag. While APIs like Deno.stat and statSync require explicit allow-read permission, these prototype methods can be called on file handles opened with write-only flags, bypassing the read restriction and allowing retrieval of file metadata such as size, modification time, and permissions. This flaw constitutes an improper privilege management vulnerability (CWE-269) because it violates the intended access control policy. The vulnerability is limited to information disclosure of file metadata, not file contents, and requires the attacker to have some level of local code execution with limited read privileges. The issue was identified and patched in versions 2.5.3 and 2.2.15, closing the permission bypass. No public exploits have been reported, indicating low active threat but potential risk in environments relying on strict permission enforcement.

For European organizations, this vulnerability could lead to unauthorized disclosure of file metadata, which may aid attackers in reconnaissance or in crafting further attacks by revealing file existence, sizes, and modification times. Although it does not expose file contents, metadata can still leak sensitive operational information or system structure. Organizations using Deno in development, CI/CD pipelines, or serverless environments where scripts run with restricted permissions are at risk. This could impact confidentiality and potentially facilitate privilege escalation or lateral movement if combined with other vulnerabilities. The low CVSS score reflects limited impact and exploitation complexity, but the risk is higher in sensitive environments or where Deno is used in multi-tenant or shared infrastructure common in European cloud deployments.

European organizations should immediately upgrade all Deno runtime instances to versions 2.5.3 or 2.2.15 or later to remediate this vulnerability. Review and audit permission configurations in Deno scripts to ensure the principle of least privilege is enforced. Avoid opening files with write-only flags if file metadata access is not required. Implement runtime monitoring to detect anomalous use of file stat APIs. In environments where upgrading is delayed, consider restricting execution of untrusted or third-party Deno scripts and isolate Deno workloads to minimize potential impact. Incorporate this vulnerability into vulnerability management and patching workflows, and educate developers on secure use of Deno’s permission model.