Deno on Windows: How a Capital Letter Broke the Security Model
Vulnerability ID: CVE-2026-22864
CVSS Score: 8.1
Published: 2026-01-16
A command injection vulnerability in the Deno runtime on Windows allowing arbitrary code execution via crafted batch file extensions.
TL;DR
Deno tried to stop you from spawning batch files to prevent command injection. But they checked for '.bat', not '.BAT'. Because Windows is case-insensitive and cmd.exe is a parsing nightmare, this allowed attackers to bypass the filter and inject arbitrary shell commands simply by shouting the file extension.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-77 (Command Injection)
- CVSS v3.1: 8.1 (High)
- Attack Vector: Network (AV:N)
- Impact: Remote Code Execution
- Platform: Windows (x64/x86)
- Exploit Status: Functional PoC Available
Affected Systems
- Deno runtime on Windows < 2.5.6
-
Deno: < 2.5.6 (Fixed in:
2.5.6)
Code Analysis
Commit: 1b07f02
fix(windows): re-allow spawning bat and cmd files with hardening
Detailed rust implementation of case-insensitive checking and argument escaping.
Commit: 12a6585
fix(windows): strip periods and trailing slashes
Path normalization updates.
Exploit Details
- Internal PoC: Constructing a .BAT file and passing shell metacharacters in arguments.
Mitigation Strategies
- Upgrade to Deno v2.5.6 immediately.
- Sanitize all user inputs used in process spawning APIs.
- Avoid spawning batch files (.bat, .cmd) entirely if possible; use PowerShell or native executables.
Remediation Steps:
- Check your Deno version:
deno --version. - If version is < 2.5.6, run
deno upgrade. - Audit your codebase for usage of
Deno.CommandorDeno.run. - Ensure no user-controlled data is passed directly into command arguments without strict validation.
References
Read the full report for CVE-2026-22864 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)