CVE-2025-61787 | THREATINT

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, ``CreateProcess()`` always implicitly spawns ``cmd.exe`` if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows. Versions 2.5.3 and 2.2.15 fix the issue.

PUBLISHED Reserved 2025-09-30 | Published 2025-10-08 | Updated 2025-10-08 | Assigner GitHub_M

HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Product status

>= 2.3.0, < 2.5.3

affected

< 2.2.15

affected

References

github.com/...d/deno/security/advisories/GHSA-m2gf-x3f6-8hq3

github.com/denoland/deno/pull/30818

github.com/...ommit/8a0990ccd37bafd8768176ca64b906ba2da2d822

github.com/denoland/deno/releases/tag/v2.2.15

github.com/denoland/deno/releases/tag/v2.5.3

cve.org (CVE-2025-61787)

nvd.nist.gov (CVE-2025-61787)

Download JSON