Impact
Prior to version 2.7.10, Deno's node:child_process implementation used an escapeShellArg helper on Windows when shell:true was specified for spawn, spawnSync, or exec. The helper failed to properly quote arguments containing cmd.exe metacharacters and did not escape percent signs, which cmd.exe expands even inside double quotes. As a result, an attacker who controls any part of an argument could inject arbitrary commands into the spawned cmd.exe request, allowing remote command execution. This issue is classified as CWE‑78 and has been fixed in Deno 2.7.10.
Affected Systems
The weakness applies to all releases of Deno prior to 2.7.10. Any installation of Deno from denoland that uses spawn, spawnSync or exec with the shell:true option on a Windows platform is susceptible to this command‑injection vulnerability.
Risk and Exploitability
The CVSS score of 8.1 indicates a high‑severity vulnerability. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. Nonetheless, the vulnerability could be exploited if an attacker controls user input that is passed to a spawn or exec call with shell:true, allowing the execution of arbitrary commands with the privileges of the Deno process and potentially leading to full system compromise.
OpenCVE Enrichment
Github GHSA