{"id":"JLSEC-2026-115","summary":"Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass","details":"### Summary\n\nA prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched `.bat` or `.cmd`. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example `.BAT, .Bat`, etc.).\n\n### POC\n\n```javascript\nconst command = new Deno.Command('./test.BAT', {\n  args: ['&calc.exe'],\n});\nconst child = command.spawn();\n```\n\nThis causes `calc.exe` to be launched; see the attached screenshot for evidence.\n\n**Patched in `CVE-2025-61787` — prevents execution of `.bat` and `.cmd` files:**\n![photo_2025-10-10 02 27 23](https://github.com/user-attachments/assets/43df25e2-e2e1-48aa-8060-cb0a22637f1f)\n\n**Bypass of the patched vulnerability:**\n![photo_2025-10-10 02 27 25](https://github.com/user-attachments/assets/2be1afb4-84a1-4883-8e18-6a174fdd3615)\n\n### Impact\n\nThe script launches calc.exe on Windows, demonstrating that passing user-controlled arguments to a spawned batch script can result in command-line injection.\n\n### Mitigation\n\nUsers should update to Deno v2.5.6 or newer.","modified":"2026-04-14T13:31:35.077108527Z","published":"2026-04-14T13:10:46.494Z","upstream":["CVE-2026-22864","EUVD-2026-2935","GHSA-m3c4-prhw-mrx6"],"database_specific":{"license":"CC-BY-4.0","sources":[{"html_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22864","id":"CVE-2026-22864","imported":"2026-04-14T12:58:55.197Z","url":"https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-22864","published":"2026-01-15T23:15:51.937Z","modified":"2026-01-21T14:32:39.837Z"},{"imported":"2026-04-14T12:59:06.994Z","id":"GHSA-m3c4-prhw-mrx6","html_url":"https://github.com/advisories/GHSA-m3c4-prhw-mrx6","url":"https://api.github.com/advisories/GHSA-m3c4-prhw-mrx6","published":"2026-01-16T15:49:38Z","modified":"2026-01-27T16:49:29Z"},{"imported":"2026-04-14T12:58:57.054Z","id":"EUVD-2026-2935","html_url":"https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-2935","url":"https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-2935","published":"2026-01-15T22:58:52Z","modified":"2026-01-16T17:16:02Z"}]},"references":[{"type":"WEB","url":"https://github.com/denoland/deno/releases/tag/v2.5.6"},{"type":"WEB","url":"https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22864"},{"type":"WEB","url":"https://github.com/advisories/GHSA-m3c4-prhw-mrx6"}],"affected":[{"package":{"name":"Deno_jll","ecosystem":"Julia","purl":"pkg:julia/Deno_jll?uuid=04572ae6-984a-583e-9378-9577a1c2574d"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.6.3+0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-115.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"credits":[{"name":"SharokhAtaie","contact":["https://github.com/SharokhAtaie"],"type":"REPORTER"},{"name":"B14CK-SPID3R","contact":["https://github.com/B14CK-SPID3R"],"type":"REPORTER"}]}