Primary

Context

Deno Command Injection Vulnerability in Child Process Module

Vulnerability

Patched

A command injection vulnerability has been identified in Deno versions prior to 2.6.8, specifically within the 'node:child_process' module. The issue arises from an incomplete blocklist of shell metacharacters, which could be exploited to execute arbitrary commands.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system.

Reproduction

The vulnerability can be reproduced by using 'spawnSync' from the 'node:child_process' module to execute a Deno command with injected shell metacharacters, such as newlines or semicolons, which are not properly escaped. This can be done by crafting a payload that, when executed, performs unintended actions, such as creating a file as proof of command execution.

Remediation

Users are advised to update Deno to version 2.6.8 or later, where this vulnerability has been patched.

Added: Feb 20, 2026, 9:21 PM

Updated: Feb 20, 2026, 9:21 PM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

10.0

exploitability

4.6

remediation

7.7

relevance

3.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

10.0

exploitability

4.6

remediation

7.7

relevance

3.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Deno Command Injection Vulnerability in Child Process Module

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Deno

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating