CVE-2026-22864 - Vulnerability Details

- Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

Published: 2026-01-15

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A case-sensitive check intended to block Windows batch files only compares against lowercase literals, allowing attackers to bypass it by using alternate casing such as .BAT or .Bat. This flaw enables spawning of arbitrary Windows shell commands, resulting in remote code execution. The weakness aligns with CWE-77, known for command injection scenarios.

Affected Systems

Deno, the JavaScript/TypeScript runtime, is affected in all releases prior to version 2.5.6. Updating to 2.5.6 or later resolves the issue.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while the EPSS of less than 1% suggests a low yet non-zero likelihood of exploitation. Because the flaw permits arbitrary command execution on Windows when an untrusted path is passed to spawn, an attacker who can influence the spawned path—such as through a remote code execution vector or local privilege—could elevate privileges or take full control of the host. The vulnerability is not listed in the CISA KEV catalog, but the high impact and potential for widespread exploitation warrant immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

denoland

deno

affected

Version	Status	Constraints
`< 2.5.6`	affected	—

Configuration 1 [-]

cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Deno	Deno	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Deno to version 2.5.6 or later.
If an update cannot be applied immediately, restrict the allowed extensions for spawned paths to a whitelist that excludes .bat and .cmd in any case variation.
Apply input validation to ensure that any value passed to spawn functions is sanitized and does not contain disallowed extensions, thereby mitigating the underlying command injection flaw.

Generated by OpenCVE AI on April 18, 2026 at 05:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-m3c4-prhw-mrx6	Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/denoland/deno/releases/tag/v2.5.6
https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6

History

Wed, 21 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:deno:deno::::::::

Fri, 16 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 16 Jan 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Deno Deno deno
Vendors & Products		Deno Deno deno

Thu, 15 Jan 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.
Title		Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass
Weaknesses		CWE-77
References		https://github.com/denoland/deno/releases/tag/v2.5.6 https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Deno Deno

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-15T22:58:52.463Z

Updated: 2026-01-16T17:16:02.143Z

Reserved: 2026-01-12T16:20:16.746Z

Link: CVE-2026-22864

Vulnrichment

Updated: 2026-01-16T17:15:51.216Z

NVD

Status : Analyzed

Published: 2026-01-15T23:15:51.937

Modified: 2026-01-21T14:32:39.837

Link: CVE-2026-22864

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T06:00:08Z

Weaknesses

CWE-77

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object