Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access
🔗 CVE IDs covered (1)
📋 Description
Summary
In Deno, environment access is gated by the env permission. You can deny it
with --deny-env, or restrict it to a specific allowlist with
--allow-env=FOO,BAR. The expectation is that a program running without env
permission cannot change process.env.
process.loadEnvFile() (the Node-compatible API for loading variables from a
.env file) does not honor this. It only checks that the program has
read permission for the dotenv file, then writes every key in that file
into the process environment — even when env access is denied.
In effect, --allow-read plus a writable or attacker-controlled .env file
is enough to defeat --deny-env.
Am I affected?
You are potentially affected if all of the following are true:
- You run Deno v2.3.0 or newer.
- Your program (or any dependency it imports) calls
process.loadEnvFile()fromnode:process. - You rely on Deno's permission model — specifically
--deny-env, an--allow-env=…allowlist, or running without grantingenv— as a security boundary. - The
.envpath passed toloadEnvFile()can be controlled or modified by a less-trusted party (untrusted input, user-writable directory, third-party dependency, etc.) and is covered by your--allow-readgrant.
If your program does not use process.loadEnvFile() at all, or if it already
grants full env access, this advisory does not change your risk.
🎯 Affected products1
- rust/deno:<= 2.8.0