Skip to main content

Deno CVE-2026-49402

| EUVDEUVD-2026-38546 HIGH
OS Command Injection (CWE-78)
2026-06-16 https://github.com/denoland/deno GHSA-7xh3-mhg9-jcw8
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable via vulnerable Deno service; AC:H because exploitation requires the app to use shell:true and forward untrusted input; PR:N/UI:N; full CIA impact via RCE.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 16, 2026 - 19:52 vuln.today
Analysis Generated
Jun 16, 2026 - 19:52 vuln.today
CVE Published
Jun 16, 2026 - 19:07 github-advisory
HIGH 8.1

DescriptionNVD

Summary

Deno's node:child_process implementation provided an escapeShellArg() helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.exe metacharacters such as &, |, <, >, ^, !, (, ), and did not neutralize % (which cmd.exe expands even inside double-quoted strings). An attacker who controlled any portion of an argument passed to such a call could inject arbitrary additional commands into the spawned cmd.exe invocation.

This was the Windows counterpart to CVE-2026-27190, which fixed the same class of bug in the Unix branch of escapeShellArg.

Details

On Windows, child_process with shell: true ran the command via cmd.exe /d /s /c "<command line>". Deno assembled that command line by joining the program name and each argument through escapeShellArg().

The vulnerable check was:

ts
// If no special characters, return as-is
if (!/[\s"\\]/.test(arg)) {
  return arg;
}

The regex covered only whitespace, double-quote, and backslash. Any argument containing cmd.exe-significant characters but none of those three was returned unquoted and therefore interpreted by the shell. The most straightforward exploit chained commands with &:

js
import { spawnSync } from "node:child_process";

spawnSync("echo", ["test&calc.exe"], { shell: true, encoding: "utf-8" });

The reporter confirmed this launched calc.exe on Windows 11 with Deno 2.7.5. The same shape worked for |, <, >, ^, !, (, and ).

A secondary defect existed even when arguments were quoted: cmd.exe expands %FOO% environment-variable references inside double-quoted strings. Without either doubling % or rejecting it, an argument like "%USERPROFILE%" leaked environment data into the command line.

Proof of concept

From the report, run on Windows with Deno < 2.7.10:

js
import { spawnSync } from "node:child_process";

const maliciousInput = "test&calc.exe";
const result = spawnSync("echo", [maliciousInput], {
  shell: true,
  encoding: "utf-8",
});
console.log(result);

Observed: calc.exe launched as a side effect of the echo call.

Impact

Any Deno program on Windows that called child_process.spawn / spawnSync / exec (or any shell helper that funneled through escapeShellArg) with shell: true and incorporated untrusted input into an argument was exposed to arbitrary command execution in the context of the Deno process. The CVSS vector treated this as network-reachable / high-complexity because the typical exposure path was a Deno service accepting external input and forwarding it to a shelled-out subprocess.

Not affected:

  • Calls without shell: true (the default), which executed the program directly via CreateProcess without cmd.exe interpretation.
  • Unix platforms, which used the single-quote branch of escapeShellArg and were already fixed under CVE-2026-27190.
  • Callers that built command strings themselves and passed them as a single string with shell: true - those were the caller's responsibility and were never sanitized by Deno.

Workarounds

Users on unpatched versions could mitigate by:

  • Avoiding shell: true in node:child_process calls on Windows.
  • Building the argv directly and invoking the program without a shell.
  • Filtering or rejecting any externally-supplied argument values that contained cmd.exe metacharacters (& | < > ^ ! ( ) %) before passing them to spawn / spawnSync / exec.

AnalysisAI

Command injection in Deno's node:child_process on Windows allows attackers who control any portion of an argument passed to spawn/spawnSync/exec with shell: true to execute arbitrary commands via unescaped cmd.exe metacharacters. The flaw affects Deno versions prior to 2.7.10 and is the Windows counterpart to the previously fixed CVE-2026-27190. Publicly available exploit code exists (the advisory itself includes a working PoC launching calc.exe), but there is no public exploit identified in the wild and no CISA KEV listing at time of analysis.

Technical ContextAI

Deno's Node.js compatibility layer reimplements node:child_process. When callers pass shell: true, Deno spawns cmd.exe /d /s /c "<command>" and assembles the command line by joining each argument through an escapeShellArg() helper. The helper's quoting check used the regex /[\s"\\]/ - covering only whitespace, double quotes, and backslashes - and ignored cmd.exe-significant metacharacters (&, |, <, >, ^, !, (, )) as well as the % character which cmd.exe expands even inside double-quoted strings to substitute environment variables. This is a classic CWE-78 (OS Command Injection) caused by an incomplete denylist of shell metacharacters specific to the Windows cmd.exe parser. The affected package is identified by CPE pkg:rust/deno, reflecting that the Deno runtime is implemented in Rust even though the vulnerable surface is its Node compatibility API.

RemediationAI

Upgrade Deno to vendor-released patch 2.7.10 or later - this is the primary fix and is confirmed by the upstream advisory GHSA-7xh3-mhg9-jcw8. For environments that cannot upgrade immediately, the advisory's documented workarounds are: avoid shell: true in node:child_process calls on Windows (this disables cmd.exe interpretation entirely and is the safest mitigation, though it breaks any code that relies on shell features like piping or globbing); construct the argv array explicitly and invoke the target program directly via CreateProcess; or strictly filter externally-supplied argument values to reject any of the characters & | < > ^ ! ( ) % before passing them to the spawn helpers, accepting that aggressive filtering may break legitimate inputs containing those characters. Applications that already build full command strings themselves and pass them as a single string with shell: true were never sanitized by Deno and remain the caller's responsibility regardless of patch level.

Share

CVE-2026-49402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy