GHSA-M2GF-X3F6-8HQ3

Vulnerability from github – Published: 2025-10-08 18:16 – Updated: 2025-10-08 18:16
VLAI?
Summary
Deno is Vulnerable to Command Injection on Windows During Batch File Execution
Details

Summary

Deno versions up to 2.5.1 are vulnerable to Command Line Injection attacks on Windows when batch files are executed.

Details

In Windows, CreateProcess() always implicitly spawns cmd.exe if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows as demonstrated by the two proves-of-concept below.

PoC

Using node:child_process (with the env and run permissions):

const { spawn } = require('node:child_process');
const child = spawn('./test.bat', ['&calc.exe']);

Using Deno.Command.spawn() (with the run permission):

const command = new Deno.Command('./test.bat', {
  args: ['&calc.exe'],
});
const child = command.spawn();

Impact

Both of these scripts result in opening calc.exe on Windows, thus allowing a Command Line Injection attack when user-provided arguments are passed if the script being executed by the child process is a batch script.

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-08T18:16:24Z",
    "nvd_published_at": "2025-10-08T02:15:41Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nDeno versions up to 2.5.1 are vulnerable to Command Line Injection attacks on Windows when batch files are executed.\n\n### Details\nIn Windows, ``CreateProcess()`` always implicitly spawns ``cmd.exe`` if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows as demonstrated by the two proves-of-concept below.\n\n### PoC\nUsing `node:child_process` (with the `env` and `run` permissions):\n```JS\nconst { spawn } = require(\u0027node:child_process\u0027);\nconst child = spawn(\u0027./test.bat\u0027, [\u0027\u0026calc.exe\u0027]);\n```\nUsing `Deno.Command.spawn()` (with the `run` permission):\n```JS\nconst command = new Deno.Command(\u0027./test.bat\u0027, {\n  args: [\u0027\u0026calc.exe\u0027],\n});\nconst child = command.spawn();\n```\n\n### Impact\nBoth of these scripts result in opening calc.exe on Windows, thus allowing a Command Line Injection attack when user-provided arguments are passed if the script being executed by the child process is a batch script.",
  "id": "GHSA-m2gf-x3f6-8hq3",
  "modified": "2025-10-08T18:16:24Z",
  "published": "2025-10-08T18:16:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61787"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/pull/30818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/releases/tag/v2.2.15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/releases/tag/v2.5.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deno is Vulnerable to Command Injection on Windows During Batch File Execution"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.