Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Deno 2.7.0-2.7.1: Command Injection Allows Malicious Command Execution
CVE-2026-32260
GHSA-4c96-w8v2-p28j
Summary
A security flaw in Deno's polyfill for child process creation allows an attacker to execute arbitrary system commands if they can control the arguments passed to certain functions. This could lead to unauthorized access and data theft. Update to Deno 2.7.2 to fix this vulnerability.
What to do
- Update deno to version 2.7.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | deno | > 2.7.0 , <= 2.7.2 | 2.7.2 |
Original title
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
Original description
## Summary
A command injection vulnerability exists in Deno's `node:child_process` polyfill (`shell: true` mode) that bypasses the fix
for CVE-2026-27190 (GHSA-hmh4-3xvx-q5hr). An attacker who controls arguments passed to `spawnSync` or `spawn` with `shell:
true` can execute arbitrary OS commands, bypassing Deno's permission system.
**Affected versions:** Deno v2.7.0, v2.7.1
## Details
The two-stage argument sanitization in `transformDenoShellCommand` (`ext/node/polyfills/internal/child_process.ts`) has a
priority bug: when an argument contains a `$VAR` pattern, it is wrapped in double quotes (L1290) instead of single quotes
(L1293). Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute.
Attack chain:
1. `escapeShellArg` wraps the argument in single quotes (safe)
2. `op_node_parse_shell_args` strips the single-quote delimiters during tokenization (raw argument exposed)
3. Re-quoting detects `$VAR` pattern → applies double quotes
4. Backtick payload inside double quotes executes via `/bin/sh`
## Impact
**OS Command Injection (CWE-78)**. Any application using `node:child_process` `spawn`/`spawnSync` with `shell: true` and
user-controlled arguments is vulnerable. Injected commands execute at the OS process level, outside Deno's permission
sandbox. Only `--allow-run` is required.
## Mitigation
Avoid passing user-controlled input as arguments to `spawn`/`spawnSync` with `shell: true`. Use `shell: false` (the default)
instead, or validate/sanitize inputs before passing them.
A command injection vulnerability exists in Deno's `node:child_process` polyfill (`shell: true` mode) that bypasses the fix
for CVE-2026-27190 (GHSA-hmh4-3xvx-q5hr). An attacker who controls arguments passed to `spawnSync` or `spawn` with `shell:
true` can execute arbitrary OS commands, bypassing Deno's permission system.
**Affected versions:** Deno v2.7.0, v2.7.1
## Details
The two-stage argument sanitization in `transformDenoShellCommand` (`ext/node/polyfills/internal/child_process.ts`) has a
priority bug: when an argument contains a `$VAR` pattern, it is wrapped in double quotes (L1290) instead of single quotes
(L1293). Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute.
Attack chain:
1. `escapeShellArg` wraps the argument in single quotes (safe)
2. `op_node_parse_shell_args` strips the single-quote delimiters during tokenization (raw argument exposed)
3. Re-quoting detects `$VAR` pattern → applies double quotes
4. Backtick payload inside double quotes executes via `/bin/sh`
## Impact
**OS Command Injection (CWE-78)**. Any application using `node:child_process` `spawn`/`spawnSync` with `shell: true` and
user-controlled arguments is vulnerable. Injected commands execute at the OS process level, outside Deno's permission
sandbox. Only `--allow-run` is required.
## Mitigation
Avoid passing user-controlled input as arguments to `spawn`/`spawnSync` with `shell: true`. Use `shell: false` (the default)
instead, or validate/sanitize inputs before passing them.
nvd CVSS3.1
8.1
Vulnerability type
CWE-78
OS Command Injection
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026