JLSEC-2026-115

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-115.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-115.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2026-115

Upstream

CVE-2026-22864

EUVD-2026-2935

GHSA-m3c4-prhw-mrx6

Published

2026-04-14T13:10:46.494Z

Modified

2026-04-14T13:31:35.077108527Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass

Details

Summary

A prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.).

POC

const command = new Deno.Command('./test.BAT', {
  args: ['&calc.exe'],
});
const child = command.spawn();

This causes calc.exe to be launched; see the attached screenshot for evidence.

Patched in CVE-2025-61787 — prevents execution of .bat and .cmd files: photo_2025-10-10 02 27 23

Bypass of the patched vulnerability: photo_2025-10-10 02 27 25

Impact

The script launches calc.exe on Windows, demonstrating that passing user-controlled arguments to a spawned batch script can result in command-line injection.

Mitigation

Users should update to Deno v2.5.6 or newer.

Database specific

{
    "sources": [
        {
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-22864",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22864",
            "modified": "2026-01-21T14:32:39.837Z",
            "id": "CVE-2026-22864",
            "imported": "2026-04-14T12:58:55.197Z",
            "published": "2026-01-15T23:15:51.937Z"
        },
        {
            "url": "https://api.github.com/advisories/GHSA-m3c4-prhw-mrx6",
            "html_url": "https://github.com/advisories/GHSA-m3c4-prhw-mrx6",
            "modified": "2026-01-27T16:49:29Z",
            "id": "GHSA-m3c4-prhw-mrx6",
            "imported": "2026-04-14T12:59:06.994Z",
            "published": "2026-01-16T15:49:38Z"
        },
        {
            "url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-2935",
            "html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-2935",
            "modified": "2026-01-16T17:16:02Z",
            "id": "EUVD-2026-2935",
            "imported": "2026-04-14T12:58:57.054Z",
            "published": "2026-01-15T22:58:52Z"
        }
    ],
    "license": "CC-BY-4.0"
}

References

Credits

- SharokhAtaie - REPORTER
- - https://github.com/SharokhAtaie
- B14CK-SPID3R - REPORTER
- - https://github.com/B14CK-SPID3R

Affected packages

Julia / Deno_jll

Package

Name: Deno_jll
Purl: pkg:julia/Deno_jll?uuid=04572ae6-984a-583e-9378-9577a1c2574d

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.6.3+0

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-115.json"