Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.
Published: 2026-03-12
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A command injection flaw resides in Deno 2.7.0 through 2.7.1’s node:child_process polyfill when shell execution is enabled. The sanitization routine improperly wraps $VAR patterns in double quotes rather than single quotes, permitting backtick command substitution in POSIX sh. An attacker who can influence arguments supplied to spawnSync or spawn with shell:true can execute arbitrary operating‑system commands, effectively bypassing Deno’s permission system. This weakness represents a classic command injection (CWE-78) and can compromise confidentiality, integrity, and availability of the host system.

Affected Systems

The vulnerability affects the denoland:deno product specifically versions 2.7.0 and 2.7.1. Versions 2.7.2 and later contain the fix and are not impacted.

Risk and Exploitability

The CVSS rating of 8.1 classifies the flaw as high severity. EPSS indicates the likelihood of exploitation is below 1%, and the vulnerability is not listed in the CISA KEV catalog. Exploitability requires an attacker to control input to the child_process API; in contexts where application code accepts untrusted data, the attack vector is local to the process but could be leveraged remotely if the application is exposed. No public exploitation or proof‑of‑concept material is cited; however, the flaw’s high impact warrants immediate attention.

Generated by OpenCVE AI on March 18, 2026 at 15:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Deno version 2.7.2 or later to address the command injection issue

Generated by OpenCVE AI on March 18, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4c96-w8v2-p28j Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
History

Wed, 18 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Deno
Deno deno
Vendors & Products Deno
Deno deno

Thu, 12 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.
Title Command Injection via incomplete shell metacharacter blocklist in node:child_process (bypass of CVE-2026-27190 fix)
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Deno Deno
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T16:13:40.538Z

Reserved: 2026-03-11T15:05:48.397Z

Link: CVE-2026-32260

cve-icon Vulnrichment

Updated: 2026-03-13T16:13:36.966Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T20:16:06.020

Modified: 2026-03-18T14:19:15.497

Link: CVE-2026-32260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:54:50Z

Weaknesses