Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection leading to arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from an incomplete blocklist of shell metacharacters in Deno's node:child_process implementation. When an untrusted input can be supplied to the child_process APIs, the attacker can insert shell metacharacters that are not properly filtered, enabling arbitrary shell command execution. This flaw belongs to CWE‑78 and can compromise confidentiality, integrity, and availability of the system if an untrusted payload is executed.

Affected Systems

The issue affects the denoland:deno runtime packages that use the node:child_process module. All releases prior to v2.6.8 are vulnerable. The fix was applied in the v2.6.8 release and later versions are considered safe.

Risk and Exploitability

The CVSS v3.1 score is 8.1, marking it as high severity. The EPSS score is below 1 %, indicating a low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. The attack vector would typically involve an application that spawns shell commands and processes user‑ supplied data. Because child_process is a local API, the attacker would need access to run code in the Deno process, but once inside, arbitrary system commands could be executed.

Generated by OpenCVE AI on April 17, 2026 at 17:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Deno to version 2.6.8 or newer to apply the vendor patch
  • If an upgrade is not immediately possible, avoid using node:child_process or remove any untrusted input from command arguments
  • Ensure that all inputs passed to child_process are properly validated or sanitized before use

Generated by OpenCVE AI on April 17, 2026 at 17:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hmh4-3xvx-q5hr Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
History

Mon, 02 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*

Tue, 24 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Deno
Deno deno
Vendors & Products Deno
Deno deno

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.
Title Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Deno Deno
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T18:30:43.652Z

Reserved: 2026-02-18T19:47:02.154Z

Link: CVE-2026-27190

cve-icon Vulnrichment

Updated: 2026-02-24T18:30:32.566Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T21:19:28.090

Modified: 2026-03-02T13:35:52.260

Link: CVE-2026-27190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses