GHSA-m3c4-prhw-mrx6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m3c4-prhw-mrx6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-m3c4-prhw-mrx6/GHSA-m3c4-prhw-mrx6.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-m3c4-prhw-mrx6
- Aliases
- Published
- 2026-01-16T15:49:38Z
- Modified
- 2026-01-16T15:56:30.497095Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass
- Details
-
Summary
A prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched
.bator.cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example.BAT, .Bat, etc.).POC
const command = new Deno.Command('./test.BAT', { args: ['&calc.exe'], }); const child = command.spawn();This causes
calc.exeto be launched; see the attached screenshot for evidence.Patched in
CVE-2025-61787— prevents execution of.batand.cmdfiles:Bypass of the patched vulnerability:
Impact
The script launches calc.exe on Windows, demonstrating that passing user-controlled arguments to a spawned batch script can result in command-line injection.
Mitigation
Users should update to Deno v2.5.6 or newer.
- Database specific
{ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-01-16T15:49:38Z", "nvd_published_at": "2026-01-15T23:15:51Z", "cwe_ids": [ "CWE-77" ] }- References
Affected packages
crates.io / deno
Package
- Name
- deno
- View open source insights on deps.dev
- Purl
- pkg:cargo/deno