CVE-2026-32260

Name of the Vulnerable Software and Affected Versions Deno versions 2.7.0 through 2.7.1

Description Deno is a JavaScript, TypeScript, and WebAssembly runtime. A command injection issue exists in the node:child process polyfill when used in shell: true mode. The two-stage argument sanitization process in transformDenoShellCommand (ext/node/polyfills/internal/child process.ts) incorrectly prioritizes double quotes over single quotes when handling arguments containing a $VAR pattern. This allows backtick command substitution in POSIX sh, enabling the execution of injected commands. An attacker controlling arguments passed to spawnSync or spawn with shell: true can execute arbitrary operating system commands, bypassing Deno's permission system. The vulnerable component is the node:child process polyfill. The vulnerable function is transformDenoShellCommand. The issue arises because arguments containing a $VAR pattern are wrapped in double quotes instead of single quotes, allowing command substitution.

Recommendations Avoid passing user-controlled input as arguments to spawn or spawnSync with shell: true. Use shell: false instead. If using shell: true is unavoidable, thoroughly validate and sanitize all inputs before passing them to the affected functions.