Vulnerability Database
296,676
Total vulnerabilities in the database
CVE-2025-61787
Summary
Deno versions up to 2.5.1 are vulnerable to Command Line Injection attacks on Windows when batch files are executed.
Details
In Windows, CreateProcess() always implicitly spawns cmd.exe if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows as demonstrated by the two proves-of-concept below.
PoC
Using node:child_process (with the env and run permissions):
const { spawn } = require('node:child_process');
const child = spawn('./test.bat', ['&calc.exe']);
Using Deno.Command.spawn() (with the run permission):
const command = new Deno.Command('./test.bat', {
args: ['&calc.exe'],
});
const child = command.spawn();
Impact
Both of these scripts result in opening calc.exe on Windows, thus allowing a Command Line Injection attack when user-provided arguments are passed if the script being executed by the child process is a batch script.
| Software | From | Fixed in |
|---|---|---|
deno
|
- | 2.5.2 |
- https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822
- https://github.com/denoland/deno/pull/30818
- https://github.com/denoland/deno/releases/tag/v2.2.15
- https://github.com/denoland/deno/releases/tag/v2.5.2
- https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime