8.1

CVE-2025-61787

Exploit

Deno is Vulnerable to Command Injection on Windows During Batch File Execution

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, ``CreateProcess()`` always implicitly spawns ``cmd.exe`` if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows. Versions 2.5.3 and 2.2.15 fix the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DenoDeno Version <= 2.2.15
   MicrosoftWindows Version-
DenoDeno Version >= 2.3.0 < 2.5.3
   MicrosoftWindows Version-
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.12% 0.794
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://github.com/denoland/deno/releases/tag/v2.2.15
Release Notes
https://github.com/denoland/deno/releases/tag/v2.5.3
Release Notes
https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3
Vendor Advisory
Exploit
https://github.com/denoland/deno/pull/30818
Patch
Issue Tracking
https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822
Patch