A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix
for CVE-2026-27190 (GHSA-hmh4-3xvx-q5hr). An attacker who controls arguments passed to spawnSync or spawn with shell:
true can execute arbitrary OS commands, bypassing Deno's permission system.
Affected versions: Deno v2.7.0, v2.7.1
## Details
The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a
priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes
(L1293). Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute.
Attack chain:
1. escapeShellArg wraps the argument in single quotes (safe)
2. op_node_parse_shell_args strips the single-quote delimiters during tokenization (raw argument exposed)
3. Re-quoting detects $VAR pattern → applies double quotes
4. Backtick payload inside double quotes executes via /bin/sh
## Impact
OS Command Injection (CWE-78). Any application using node:child_process spawn/spawnSync with shell: true and
user-controlled arguments is vulnerable. Injected commands execute at the OS process level, outside Deno's permission
sandbox. Only --allow-run is required.
## Mitigation
Avoid passing user-controlled input as arguments to spawn/spawnSync with shell: true. Use shell: false (the default)
instead, or validate/sanitize inputs before passing them.
| Score | Percentile |
|---|---|
| 0.10% | 27.64% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.1 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-4c96-w8v2-p28j ↗ |
| CVE | CVE-2026-32260 ↗ |
| CWE id | Name |
|---|---|
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| rust | deno | >= 2.7.0, < 2.7.2 | 2.7.2 | — |