ghsa-m2gf-x3f6-8hq3
Vulnerability from github
Published
2025-10-08 18:16
Modified
2025-10-08 18:16
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Deno is Vulnerable to Command Injection on Windows During Batch File Execution
Details

Summary

Deno versions up to 2.5.1 are vulnerable to Command Line Injection attacks on Windows when batch files are executed.

Details

In Windows, CreateProcess() always implicitly spawns cmd.exe if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows as demonstrated by the two proves-of-concept below.

PoC

Using node:child_process (with the env and run permissions): JS const { spawn } = require('node:child_process'); const child = spawn('./test.bat', ['&calc.exe']); Using Deno.Command.spawn() (with the run permission): JS const command = new Deno.Command('./test.bat', { args: ['&calc.exe'], }); const child = command.spawn();

Impact

Both of these scripts result in opening calc.exe on Windows, thus allowing a Command Line Injection attack when user-provided arguments are passed if the script being executed by the child process is a batch script.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-08T18:16:24Z",
    "nvd_published_at": "2025-10-08T02:15:41Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nDeno versions up to 2.5.1 are vulnerable to Command Line Injection attacks on Windows when batch files are executed.\n\n### Details\nIn Windows, ``CreateProcess()`` always implicitly spawns ``cmd.exe`` if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows as demonstrated by the two proves-of-concept below.\n\n### PoC\nUsing `node:child_process` (with the `env` and `run` permissions):\n```JS\nconst { spawn } = require(\u0027node:child_process\u0027);\nconst child = spawn(\u0027./test.bat\u0027, [\u0027\u0026calc.exe\u0027]);\n```\nUsing `Deno.Command.spawn()` (with the `run` permission):\n```JS\nconst command = new Deno.Command(\u0027./test.bat\u0027, {\n  args: [\u0027\u0026calc.exe\u0027],\n});\nconst child = command.spawn();\n```\n\n### Impact\nBoth of these scripts result in opening calc.exe on Windows, thus allowing a Command Line Injection attack when user-provided arguments are passed if the script being executed by the child process is a batch script.",
  "id": "GHSA-m2gf-x3f6-8hq3",
  "modified": "2025-10-08T18:16:24Z",
  "published": "2025-10-08T18:16:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61787"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/pull/30818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/releases/tag/v2.2.15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/releases/tag/v2.5.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deno is Vulnerable to Command Injection on Windows During Batch File Execution"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.