CVE-2025-61787
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, CreateProcess() always implicitly spawns cmd.exe if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows. Versions 2.5.3 and 2.2.15 fix the issue.
| Software | From | Fixed in |
|---|---|---|
deno
|
- | 2.5.2 |
| deno / deno | - | 2.2.15.x |
| deno / deno | 2.3.0 | 2.5.3 |
- https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822
- https://github.com/denoland/deno/pull/30818
- https://github.com/denoland/deno/releases/tag/v2.2.15
- https://github.com/denoland/deno/releases/tag/v2.5.2
- https://github.com/denoland/deno/releases/tag/v2.5.3
- https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime