Deno: Command Injection via spawnSync & spawn on Windows
- When
- Where
- Global (internet)
- Category
- cyber_advisory · rust
## Summary Deno's `node:child_process` implementation provided an `escapeShellArg()` helper used when callers passed `shell: true` to `spawn` / `spawnSync` / `exec` and friends. On Windows, the helper failed to quote arguments that contained `cmd.exe` metacharacters such as `&`, `|`, `<`, `>`, `^`, `!`, `(`, `)`, and did not neutralize `%` (which `cmd.exe` expands even inside double-quoted strings). An attacker who controlled any portion of an argument passed to such a call could inject arbitrary additional commands into the spawned `cmd.exe` invocation. This was the Windows counterpart to CVE-2026-27190, which fixed the same class of bug in the Unix branch of `escapeShellArg`. ## Details On Windows, `child_process` with `shell: true` ran the command via `cmd.exe /d /s /c "<command line>"`. Deno assembled that command line by joining the program name and each argument through `escapeShellArg()`. The vulnerable check was: ```ts // If no special characters, return as-is if (!/[\s"\\]/.test(arg)) { return arg; } ``` The regex covered only whitespace, double-quote, and backslash. Any argument containing `cmd.exe`-significant characters but none of those three was returned unquoted and therefore interpreted by the shell. The most straightforward exploit chained commands with `&`: ```js import { spawnSync } from "node:child_process"; spawnSync("echo", ["test&calc.exe"], { shell: true, encoding: "utf-8" }); ``` The reporter confirmed this launched `calc.exe` on Windows 11 with Deno 2.7.5. The same shape worked for `|`, `<`, `>`, `^`, `!`, `(`, and `)`. A secondary defect existed even when arguments were quoted: `cmd.exe` expands `%FOO%` environment-variable references inside double-quoted strings. Without either doubling `%` or rejecting it, an argument like `"%USERPROFILE%"` leaked environment data into the command line. ## Proof of concept From the report, run on Windows with Deno `< 2.7.10`: ```js import { spawnSync } from "node:child_process"; const maliciousInput = "test&calc.exe"; const result = spawnSync("echo", [maliciousInput], { shell: true, encoding: "utf-8", }); console.log(result); ``` Observed: `calc.exe` launched as a side effect of the `echo` call. ## Impact Any Deno program on Windows that called `child_process.spawn` / `spawnSync` / `exec` (or any shell helper that funneled through `escapeShellArg`) with `shell: true` and incorporated untrusted input into an argument was exposed to arbitrary command execution in the context of the Deno process. The CVSS vector treated this as network-reachable / high-complexity because the typical exposure path was a Deno service accepting external input and forwarding it to a shelled-out subprocess. Not affected: - Calls without `shell: true` (the default), which executed the program directly via `CreateProcess` without `cmd.exe` interpretation. - Unix platforms, which used the single-quote branch of `escapeShellArg` and were already fixed under CVE-2026-27190. - Callers that built command strings themselves and passed them as a single string with `shell: true` — those were the caller's responsibility and were never sanitized by Deno. ## Workarounds Users on unpatched versions could mitigate by: - Avoiding `shell: true` in `node:child_process` calls on Windows. - Building the argv directly and invoking the program without a shell. - Filtering or rejecting any externally-supplied argument values that contained `cmd.exe` metacharacters (`& | < > ^ ! ( ) %`) before passing them to `spawn` / `spawnSync` / `exec`.
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-16 19:07 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.