products / deno

Deno

Deno is a secure-by-default runtime for TypeScript and JavaScript backed by Rust and V8. It emphasizes permissions, bundled tooling, and a fresh HTTP stack adjacent to browsers. NVD publishes deno:deno CPE ranges with relatively clean semver alignment compared to sprawling meta-packages.

api usage

Querying Deno

product slugdeno

version format1.20.2, 2.2.0, semver

bash

curl "https://api.attestd.io/v1/check?product=deno&version=1.20.2" \
  -H "Authorization: Bearer $ATTESTD_KEY"

Deno 1.20.2 falls before the patch boundary for CVE-2022-24783 (CVSS 10.0), a WebAssembly memory exposure class issue in the Deno runtime. Expect risk_state: "critical".

json

{
  "product": "deno",
  "version": "1.20.2",
  "supported": true,
  "risk_state": "critical",
  "risk_factors": [
    "remote_code_execution",
    "no_authentication_required",
    "patch_available"
  ],
  "actively_exploited": false,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "1.20.3",
  "confidence": 0.82,
  "cve_ids": ["CVE-2022-24783"],
  "last_updated": "2026-02-23T18:21:30Z",
  "supply_chain": null
}

safe version

Deno 2.2.0 has no known relevant vulnerabilities at the time of the last synthesis run.

bash

curl "https://api.attestd.io/v1/check?product=deno&version=2.2.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

notable cves

CVE history

Deno's CVE set reflects a modern HTTP and WASM surface with fewer decades of legacy protocol baggage than some servers, but critical issues still appear when memory safety or sandbox boundaries fail.

CVE	Description	Affects	CVSS
`CVE-2022-24783`	Denial of service and memory exposure through WebAssembly surface in affected Deno releases.	< 1.20.3	10.0

All products Node.js Hermes Response Field Reference