PT-2026-20983 · Deno · Deno
Jackhax
·
Published
2026-02-19
·
Updated
2026-04-14
·
CVE-2026-27190
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Deno versions prior to 2.6.8
Description
A command injection issue exists in Deno's
node:child process implementation. The issue allows for arbitrary command execution through crafted input provided to the spawnSync function when the shell option is set to true. A proof-of-concept demonstrates the creation of a file (/tmp/rce proof) to confirm successful exploitation. The vulnerable code utilizes the Deno.execPath() function and the spawnSync function with the shell: true option, allowing for command injection via newline characters in the input. The vulnerable parameter is the input to the spawnSync function.Recommendations
Update to Deno version 2.6.8 or later.
Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Deno