EUVD-2026-11694
GHSA-4c96-w8v2-p28j
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.
Analysis
Deno versions 2.7.0 through 2.7.1 contain a command injection vulnerability in the node:child_process polyfill where improper quote handling allows attackers to bypass previous security fixes and execute arbitrary OS commands through shell metacharacter injection in spawn/spawnSync arguments. This vulnerability bypasses Deno's permission system entirely, enabling complete system compromise for applications processing untrusted input. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Deno deployments and identify systems running versions 2.7.0-2.7.1, particularly those using node:child_process with shell: true. Within 7 days: Implement network-level access controls to restrict outbound connections from Deno runtime processes and disable shell mode in child_process calls where operationally feasible through code review and remediation. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today