Details
Summary
A prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.).
POC
const command = new Deno.Command('./test.BAT', {
args: ['&calc.exe'],
});
const child = command.spawn();
This causes calc.exe to be launched; see the attached screenshot for evidence.
Patched in CVE-2025-61787 — prevents execution of .bat and .cmd files:
Bypass of the patched vulnerability:
Impact
The script launches calc.exe on Windows, demonstrating that passing user-controlled arguments to a spawned batch script can result in command-line injection.
Mitigation
Users should update to Deno v2.5.6 or newer.
Affected Packages
deno
crates.io
Fixed in:
2.5.6Aliases
CVSS Analysis
CVSS v3.1
8.1
Exploitability
Attack Vector
Network
AV:NAttack Complexity
High
AC:HPrivileges Required
None
PR:NUser Interaction
None
UI:NScope
Scope
Unchanged
S:UImpact
Confidentiality
High
C:HIntegrity
High
I:HAvailability
High
A:H8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HRelated
Ecosystems
Timeline
PublishedJan 16, 2026
ModifiedJan 16, 2026