Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:child_process implementation provided an escapeShellArg() helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.exe metacharacters and did not neutralize % (which cmd.exe expands even inside double-quoted strings). An attacker who controlled any portion of an argument passed to such a call could inject arbitrary additional commands into the spawned cmd.exe invocation. This vulnerability is fixed in 2.7.10.
Published: 2026-06-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 2.7.10, Deno's node:child_process implementation used an escapeShellArg helper on Windows when shell:true was specified for spawn, spawnSync, or exec. The helper failed to properly quote arguments containing cmd.exe metacharacters and did not escape percent signs, which cmd.exe expands even inside double quotes. As a result, an attacker who controls any part of an argument could inject arbitrary commands into the spawned cmd.exe request, allowing remote command execution. This issue is classified as CWE‑78 and has been fixed in Deno 2.7.10.

Affected Systems

The weakness applies to all releases of Deno prior to 2.7.10. Any installation of Deno from denoland that uses spawn, spawnSync or exec with the shell:true option on a Windows platform is susceptible to this command‑injection vulnerability.

Risk and Exploitability

The CVSS score of 8.1 indicates a high‑severity vulnerability. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. Nonetheless, the vulnerability could be exploited if an attacker controls user input that is passed to a spawn or exec call with shell:true, allowing the execution of arbitrary commands with the privileges of the Deno process and potentially leading to full system compromise.

Generated by OpenCVE AI on June 24, 2026 at 10:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Deno 2.7.10 or later to receive the fixed escapeShellArg implementation.
  • Refrain from using shell:true on Windows; if it is required, validate and sanitize all arguments so that no user‑controlled data or shell metacharacters reach the command line.
  • Audit third‑party modules and dependencies for uses of spawn, spawnSync, or exec with shell:true on Windows and remove or patch any that remain vulnerable.

Generated by OpenCVE AI on June 24, 2026 at 10:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7xh3-mhg9-jcw8 Deno: Command Injection via spawnSync & spawn on Windows
History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Deno
Deno deno
Vendors & Products Deno
Deno deno

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:child_process implementation provided an escapeShellArg() helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.exe metacharacters and did not neutralize % (which cmd.exe expands even inside double-quoted strings). An attacker who controlled any portion of an argument passed to such a call could inject arbitrary additional commands into the spawned cmd.exe invocation. This vulnerability is fixed in 2.7.10.
Title Deno: Command Injection via spawnSync & spawn on Windows
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T03:55:49.852Z

Reserved: 2026-05-29T19:08:01.257Z

Link: CVE-2026-49402

cve-icon Vulnrichment

Updated: 2026-06-23T17:53:49.175Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')