Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Deno: Command Injection on Windows Through Batch File Bypass
JLSEC-2026-115
Summary
Deno's patch for preventing Windows batch file execution can be bypassed using alternate casing. This can allow attackers to inject commands on Windows systems. To fix this, update to Deno version 2.5.6 or later.
What to do
- Update deno_jll to version 2.6.3+0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | deno_jll | <= 2.6.3+0 | 2.6.3+0 |
Original title
Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass
Original description
### Summary
A prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched `.bat` or `.cmd`. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example `.BAT, .Bat`, etc.).
### POC
```javascript
const command = new Deno.Command('./test.BAT', {
args: ['&calc.exe'],
});
const child = command.spawn();
```
This causes `calc.exe` to be launched; see the attached screenshot for evidence.
**Patched in `CVE-2025-61787` — prevents execution of `.bat` and `.cmd` files:**
**Bypass of the patched vulnerability:**
### Impact
The script launches calc.exe on Windows, demonstrating that passing user-controlled arguments to a spawned batch script can result in command-line injection.
### Mitigation
Users should update to Deno v2.5.6 or newer.
A prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched `.bat` or `.cmd`. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example `.BAT, .Bat`, etc.).
### POC
```javascript
const command = new Deno.Command('./test.BAT', {
args: ['&calc.exe'],
});
const child = command.spawn();
```
This causes `calc.exe` to be launched; see the attached screenshot for evidence.
**Patched in `CVE-2025-61787` — prevents execution of `.bat` and `.cmd` files:**
**Bypass of the patched vulnerability:**
### Impact
The script launches calc.exe on Windows, demonstrating that passing user-controlled arguments to a spawned batch script can result in command-line injection.
### Mitigation
Users should update to Deno v2.5.6 or newer.
osv CVSS3.1
8.1
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026