GHSA-m2gf-x3f6-8hq3

Summary

Deno versions up to 2.5.1 are vulnerable to Command Line Injection attacks on Windows when batch files are executed.

Details

In Windows, CreateProcess() always implicitly spawns cmd.exe if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows as demonstrated by the two proves-of-concept below.

PoC

Using node:child_process (with the env and run permissions):

const { spawn } = require('node:child_process');
const child = spawn('./test.bat', ['&calc.exe']);

Using Deno.Command.spawn() (with the run permission):

const command = new Deno.Command('./test.bat', {
  args: ['&calc.exe'],
});
const child = command.spawn();

Impact

Both of these scripts result in opening calc.exe on Windows, thus allowing a Command Line Injection attack when user-provided arguments are passed if the script being executed by the child process is a batch script.