JLSEC-2026-113
- Source
- https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-113.md
- Import Source
- https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-113.json
- JSON Data
- https://api.osv.dev/v1/vulns/JLSEC-2026-113
- Upstream
- Published
- 2026-04-14T13:10:46.494Z
- Modified
- 2026-04-14T13:31:35.695328325Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Deno is Vulnerable to Command Injection on Windows During Batch File Execution
- Details
-
Summary
Deno versions up to 2.5.1 are vulnerable to Command Line Injection attacks on Windows when batch files are executed.
Details
In Windows,
CreateProcess()always implicitly spawnscmd.exeif a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows as demonstrated by the two proves-of-concept below.PoC
Using
node:child_process(with theenvandrunpermissions):const { spawn } = require('node:child_process'); const child = spawn('./test.bat', ['&calc.exe']);Using
Deno.Command.spawn()(with therunpermission):const command = new Deno.Command('./test.bat', { args: ['&calc.exe'], }); const child = command.spawn();Impact
Both of these scripts result in opening calc.exe on Windows, thus allowing a Command Line Injection attack when user-provided arguments are passed if the script being executed by the child process is a batch script.
- Database specific
{ "license": "CC-BY-4.0", "sources": [ { "id": "CVE-2025-61787", "modified": "2025-10-16T18:14:53.107Z", "imported": "2026-04-14T12:58:55.185Z", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-61787", "published": "2025-10-08T02:15:41.897Z", "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61787" }, { "id": "GHSA-m2gf-x3f6-8hq3", "modified": "2025-10-08T18:16:25Z", "url": "https://api.github.com/advisories/GHSA-m2gf-x3f6-8hq3", "imported": "2026-04-14T12:59:00.312Z", "published": "2025-10-08T18:16:24Z", "html_url": "https://github.com/advisories/GHSA-m2gf-x3f6-8hq3" }, { "id": "EUVD-2025-33179", "modified": "2025-10-08T18:51:09Z", "url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2025-33179", "imported": "2026-04-14T12:58:57.176Z", "published": "2025-10-08T00:59:17Z", "html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-33179" } ] }- References
-
- https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822
- https://github.com/denoland/deno/pull/30818
- https://github.com/denoland/deno/releases/tag/v2.2.15
- https://github.com/denoland/deno/releases/tag/v2.5.3
- https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3
- https://nvd.nist.gov/vuln/detail/CVE-2025-61787
- https://github.com/denoland/deno/releases/tag/v2.5.2
- https://github.com/advisories/GHSA-m2gf-x3f6-8hq3
- Credits
-
-
- R4356th - REPORTER
-