Search
Search is not available in local development.
Run npx pagefind --site __site after building to enable it.
JLSEC-2026-115 High 8.1

Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass

SourceEditHistoryOSVJSON (OSV)
JLSEC Published
Modified
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Packages
Deno_jll < 2.6.3+0
Aliases / Upstream
EUVD-2026-2935 GHSA-m3c4-prhw-mrx6 CVE-2026-22864

Summary

A prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.).

POC

const command = new Deno.Command('./test.BAT', {
  args: ['&calc.exe'],
});
const child = command.spawn();

This causes calc.exe to be launched; see the attached screenshot for evidence.

Patched in CVE-2025-61787 — prevents execution of .bat and .cmd files: photo_2025-10-10 02 27 23

Bypass of the patched vulnerability: photo_2025-10-10 02 27 25

Impact

The script launches calc.exe on Windows, demonstrating that passing user-controlled arguments to a spawned batch script can result in command-line injection.

Mitigation

Users should update to Deno v2.5.6 or newer.

References