CVE-2025-61787

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.5.3 and 2.2.15

Description Deno, a JavaScript, TypeScript, and WebAssembly runtime, is susceptible to Command Line Injection attacks on Windows operating systems when batch files are executed. The Windows operating system implicitly uses cmd.exe when executing batch files, even if not explicitly specified, creating a pathway for attackers to inject malicious commands through user input. Approximately 654 systems are estimated to be affected, and over 1,300 services are found annually. The vulnerability resides in the way Deno handles the CreateProcess() function when executing batch files on Windows. The CreateProcess() function is used to create a new process, and in the case of batch files, it automatically invokes cmd.exe. This behavior allows attackers to inject commands into the batch file, which are then executed by cmd.exe.

Recommendations Update Deno to version 2.5.3 or 2.2.15 to resolve this issue.