Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Deno on Windows: Malicious Batch Files Can Launch Unintended Programs
JLSEC-2026-113
Summary
Deno, a JavaScript runtime, has a security issue on Windows that allows attackers to execute unauthorized programs by manipulating batch files. This can happen if user-input data is not properly validated when running batch scripts. To stay secure, ensure you're running the latest version of Deno and validate any user input before passing it to batch files.
What to do
- Update deno_jll to version 2.6.3+0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | deno_jll | <= 2.6.3+0 | 2.6.3+0 |
Original title
Deno is Vulnerable to Command Injection on Windows During Batch File Execution
Original description
### Summary
Deno versions up to 2.5.1 are vulnerable to Command Line Injection attacks on Windows when batch files are executed.
### Details
In Windows, `CreateProcess()` always implicitly spawns `cmd.exe` if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows as demonstrated by the two proves-of-concept below.
### PoC
Using `node:child_process` (with the `env` and `run` permissions):
```JS
const { spawn } = require('node:child_process');
const child = spawn('./test.bat', ['&calc.exe']);
```
Using `Deno.Command.spawn()` (with the `run` permission):
```JS
const command = new Deno.Command('./test.bat', {
args: ['&calc.exe'],
});
const child = command.spawn();
```
### Impact
Both of these scripts result in opening calc.exe on Windows, thus allowing a Command Line Injection attack when user-provided arguments are passed if the script being executed by the child process is a batch script.
Deno versions up to 2.5.1 are vulnerable to Command Line Injection attacks on Windows when batch files are executed.
### Details
In Windows, `CreateProcess()` always implicitly spawns `cmd.exe` if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows as demonstrated by the two proves-of-concept below.
### PoC
Using `node:child_process` (with the `env` and `run` permissions):
```JS
const { spawn } = require('node:child_process');
const child = spawn('./test.bat', ['&calc.exe']);
```
Using `Deno.Command.spawn()` (with the `run` permission):
```JS
const command = new Deno.Command('./test.bat', {
args: ['&calc.exe'],
});
const child = command.spawn();
```
### Impact
Both of these scripts result in opening calc.exe on Windows, thus allowing a Command Line Injection attack when user-provided arguments are passed if the script being executed by the child process is a batch script.
osv CVSS3.1
8.1
- https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822 URL
- https://github.com/denoland/deno/pull/30818 URL
- https://github.com/denoland/deno/releases/tag/v2.2.15 URL
- https://github.com/denoland/deno/releases/tag/v2.5.3 URL
- https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3 URL
- https://nvd.nist.gov/vuln/detail/CVE-2025-61787 URL
- https://github.com/denoland/deno/releases/tag/v2.5.2 URL
- https://github.com/advisories/GHSA-m2gf-x3f6-8hq3 URL
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026