{"id":"JLSEC-2026-656","summary":"Deno: Command Injection via spawnSync & spawn on Windows","details":"## Summary\n\nDeno's `node:child_process` implementation provided an `escapeShellArg()` helper used when callers passed `shell: true` to `spawn` / `spawnSync` / `exec` and friends. On Windows, the helper failed to quote arguments that contained `cmd.exe` metacharacters such as `&`, `|`, `\u003c`, `\u003e`, `^`, `!`, `(`, `)`, and did not neutralize `%` (which `cmd.exe` expands even inside double-quoted strings). An attacker who controlled any portion of an argument passed to such a call could inject arbitrary additional commands into the spawned `cmd.exe` invocation.\n\nThis was the Windows counterpart to CVE-2026-27190, which fixed the same class of bug in the Unix branch of `escapeShellArg`.\n\n## Details\n\nOn Windows, `child_process` with `shell: true` ran the command via `cmd.exe /d /s /c \"\u003ccommand line\u003e\"`. Deno assembled that command line by joining the program name and each argument through `escapeShellArg()`.\n\nThe vulnerable check was:\n\n```ts\n// If no special characters, return as-is\nif (!/[\\s\"\\\\]/.test(arg)) {\n  return arg;\n}\n```\n\nThe regex covered only whitespace, double-quote, and backslash. Any argument containing `cmd.exe`-significant characters but none of those three was returned unquoted and therefore interpreted by the shell. The most straightforward exploit chained commands with `&`:\n\n```js\nimport { spawnSync } from \"node:child_process\";\n\nspawnSync(\"echo\", [\"test&calc.exe\"], { shell: true, encoding: \"utf-8\" });\n```\n\nThe reporter confirmed this launched `calc.exe` on Windows 11 with Deno 2.7.5. The same shape worked for `|`, `\u003c`, `\u003e`, `^`, `!`, `(`, and `)`.\n\nA secondary defect existed even when arguments were quoted: `cmd.exe` expands `%FOO%` environment-variable references inside double-quoted strings. Without either doubling `%` or rejecting it, an argument like `\"%USERPROFILE%\"` leaked environment data into the command line.\n\n## Proof of concept\n\nFrom the report, run on Windows with Deno `\u003c 2.7.10`:\n\n```js\nimport { spawnSync } from \"node:child_process\";\n\nconst maliciousInput = \"test&calc.exe\";\nconst result = spawnSync(\"echo\", [maliciousInput], {\n  shell: true,\n  encoding: \"utf-8\",\n});\nconsole.log(result);\n```\n\nObserved: `calc.exe` launched as a side effect of the `echo` call.\n\n## Impact\n\nAny Deno program on Windows that called `child_process.spawn` / `spawnSync` / `exec` (or any shell helper that funneled through `escapeShellArg`) with `shell: true` and incorporated untrusted input into an argument was exposed to arbitrary command execution in the context of the Deno process. The CVSS vector treated this as network-reachable / high-complexity because the typical exposure path was a Deno service accepting external input and forwarding it to a shelled-out subprocess.\n\nNot affected:\n\n  - Calls without `shell: true` (the default), which executed the program directly via `CreateProcess` without `cmd.exe` interpretation.\n  - Unix platforms, which used the single-quote branch of `escapeShellArg` and were already fixed under CVE-2026-27190.\n  - Callers that built command strings themselves and passed them as a single string with `shell: true` — those were the caller's responsibility and were never sanitized by Deno.\n\n## Workarounds\n\nUsers on unpatched versions could mitigate by:\n\n  - Avoiding `shell: true` in `node:child_process` calls on Windows.\n  - Building the argv directly and invoking the program without a shell.\n  - Filtering or rejecting any externally-supplied argument values that contained `cmd.exe` metacharacters (`& | \u003c \u003e ^ ! ( ) %`) before passing them to `spawn` / `spawnSync` / `exec`.","modified":"2026-07-07T13:49:37.724936562Z","published":"2026-07-07T13:43:33.746Z","upstream":["CVE-2026-49402","EUVD-2026-38546","GHSA-7xh3-mhg9-jcw8"],"database_specific":{"license":"CC-BY-4.0","sources":[{"modified":"2026-06-26T17:33:10.807Z","database_specific":{"status":"Analyzed"},"published":"2026-06-23T18:18:03.177Z","html_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49402","url":"https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-49402","id":"CVE-2026-49402","imported":"2026-06-27T08:36:01.335Z"},{"modified":"2026-06-16T19:07:48Z","id":"GHSA-7xh3-mhg9-jcw8","html_url":"https://github.com/advisories/GHSA-7xh3-mhg9-jcw8","url":"https://api.github.com/advisories/GHSA-7xh3-mhg9-jcw8","published":"2026-06-16T19:07:44Z","imported":"2026-06-27T08:36:14.212Z"},{"modified":"2026-06-25T03:55:49Z","published":"2026-06-23T17:20:50Z","html_url":"https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-38546","url":"https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-38546","id":"EUVD-2026-38546","imported":"2026-06-27T08:36:01.407Z"}]},"references":[{"type":"WEB","url":"https://github.com/advisories/GHSA-7xh3-mhg9-jcw8"},{"type":"WEB","url":"https://github.com/denoland/deno/security/advisories/GHSA-7xh3-mhg9-jcw8"}],"affected":[{"package":{"name":"Deno_jll","ecosystem":"Julia","purl":"pkg:julia/Deno_jll?uuid=04572ae6-984a-583e-9378-9577a1c2574d"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.8.1+0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-656.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"credits":[{"name":"kejcao","contact":["https://github.com/kejcao"],"type":"REPORTER"}]}