A prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.).
const command = new Deno.Command('./test.BAT', {
args: ['&calc.exe'],
});
const child = command.spawn();
This causes calc.exe to be launched; see the attached screenshot for evidence.
Patched in CVE-2025-61787 — prevents execution of .bat and .cmd files:
Bypass of the patched vulnerability:
The script launches calc.exe on Windows, demonstrating that passing user-controlled arguments to a spawned batch script can result in command-line injection.
Users should update to Deno v2.5.6 or newer.
| Score | Percentile |
|---|---|
| 0.03% | 8.64% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.1 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-m3c4-prhw-mrx6 ↗ |
| CVE | CVE-2026-22864 ↗ |
| CWE id | Name |
|---|---|
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| rust | deno | < 2.5.6 | 2.5.6 | — |