Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable via vulnerable Deno service; AC:H because exploitation requires the app to use shell:true and forward untrusted input; PR:N/UI:N; full CIA impact via RCE.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Summary
Deno's node:child_process implementation provided an escapeShellArg() helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.exe metacharacters such as &, |, <, >, ^, !, (, ), and did not neutralize % (which cmd.exe expands even inside double-quoted strings). An attacker who controlled any portion of an argument passed to such a call could inject arbitrary additional commands into the spawned cmd.exe invocation.
This was the Windows counterpart to CVE-2026-27190, which fixed the same class of bug in the Unix branch of escapeShellArg.
Details
On Windows, child_process with shell: true ran the command via cmd.exe /d /s /c "<command line>". Deno assembled that command line by joining the program name and each argument through escapeShellArg().
The vulnerable check was:
// If no special characters, return as-is
if (!/[\s"\\]/.test(arg)) {
return arg;
}The regex covered only whitespace, double-quote, and backslash. Any argument containing cmd.exe-significant characters but none of those three was returned unquoted and therefore interpreted by the shell. The most straightforward exploit chained commands with &:
import { spawnSync } from "node:child_process";
spawnSync("echo", ["test&calc.exe"], { shell: true, encoding: "utf-8" });The reporter confirmed this launched calc.exe on Windows 11 with Deno 2.7.5. The same shape worked for |, <, >, ^, !, (, and ).
A secondary defect existed even when arguments were quoted: cmd.exe expands %FOO% environment-variable references inside double-quoted strings. Without either doubling % or rejecting it, an argument like "%USERPROFILE%" leaked environment data into the command line.
Proof of concept
From the report, run on Windows with Deno < 2.7.10:
import { spawnSync } from "node:child_process";
const maliciousInput = "test&calc.exe";
const result = spawnSync("echo", [maliciousInput], {
shell: true,
encoding: "utf-8",
});
console.log(result);Observed: calc.exe launched as a side effect of the echo call.
Impact
Any Deno program on Windows that called child_process.spawn / spawnSync / exec (or any shell helper that funneled through escapeShellArg) with shell: true and incorporated untrusted input into an argument was exposed to arbitrary command execution in the context of the Deno process. The CVSS vector treated this as network-reachable / high-complexity because the typical exposure path was a Deno service accepting external input and forwarding it to a shelled-out subprocess.
Not affected:
- Calls without
shell: true(the default), which executed the program directly viaCreateProcesswithoutcmd.exeinterpretation. - Unix platforms, which used the single-quote branch of
escapeShellArgand were already fixed under CVE-2026-27190. - Callers that built command strings themselves and passed them as a single string with
shell: true- those were the caller's responsibility and were never sanitized by Deno.
Workarounds
Users on unpatched versions could mitigate by:
- Avoiding
shell: trueinnode:child_processcalls on Windows. - Building the argv directly and invoking the program without a shell.
- Filtering or rejecting any externally-supplied argument values that contained
cmd.exemetacharacters (& | < > ^ ! ( ) %) before passing them tospawn/spawnSync/exec.
AnalysisAI
Command injection in Deno's node:child_process on Windows allows attackers who control any portion of an argument passed to spawn/spawnSync/exec with shell: true to execute arbitrary commands via unescaped cmd.exe metacharacters. The flaw affects Deno versions prior to 2.7.10 and is the Windows counterpart to the previously fixed CVE-2026-27190. Publicly available exploit code exists (the advisory itself includes a working PoC launching calc.exe), but there is no public exploit identified in the wild and no CISA KEV listing at time of analysis.
Technical ContextAI
Deno's Node.js compatibility layer reimplements node:child_process. When callers pass shell: true, Deno spawns cmd.exe /d /s /c "<command>" and assembles the command line by joining each argument through an escapeShellArg() helper. The helper's quoting check used the regex /[\s"\\]/ - covering only whitespace, double quotes, and backslashes - and ignored cmd.exe-significant metacharacters (&, |, <, >, ^, !, (, )) as well as the % character which cmd.exe expands even inside double-quoted strings to substitute environment variables. This is a classic CWE-78 (OS Command Injection) caused by an incomplete denylist of shell metacharacters specific to the Windows cmd.exe parser. The affected package is identified by CPE pkg:rust/deno, reflecting that the Deno runtime is implemented in Rust even though the vulnerable surface is its Node compatibility API.
RemediationAI
Upgrade Deno to vendor-released patch 2.7.10 or later - this is the primary fix and is confirmed by the upstream advisory GHSA-7xh3-mhg9-jcw8. For environments that cannot upgrade immediately, the advisory's documented workarounds are: avoid shell: true in node:child_process calls on Windows (this disables cmd.exe interpretation entirely and is the safest mitigation, though it breaks any code that relies on shell features like piping or globbing); construct the argv array explicitly and invoke the target program directly via CreateProcess; or strictly filter externally-supplied argument values to reject any of the characters & | < > ^ ! ( ) % before passing them to the spawn helpers, accepting that aggressive filtering may break legitimate inputs containing those characters. Applications that already build full command strings themselves and pass them as a single string with shell: true were never sanitized by Deno and remain the caller's responsibility regardless of patch level.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38546
GHSA-7xh3-mhg9-jcw8