FKIE_CVE-2026-32260

Vulnerability from fkie_nvd - Published: 2026-03-12 20:16 - Updated: 2026-03-12 21:07
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.
References
security-advisories@github.comhttps://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1,  A command injection vulnerability exists in Deno\u0027s node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno\u0027s permission system. This vulnerability is fixed in 2.7.2."
    },
    {
      "lang": "es",
      "value": "Deno es un entorno de ejecuci\u00f3n de JavaScript, TypeScript y WebAssembly. Desde 2.7.0 hasta 2.7.1, existe una vulnerabilidad de inyecci\u00f3n de comandos en el polyfill node:child_process de Deno (modo shell: true) que elude la correcci\u00f3n para CVE-2026-27190. La sanitizaci\u00f3n de argumentos en dos etapas en transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) tiene un error de prioridad: cuando un argumento contiene un patr\u00f3n $VAR, se envuelve en comillas dobles (L1290) en lugar de comillas simples. Las comillas dobles en POSIX sh no suprimen la sustituci\u00f3n de comandos con comillas invertidas, permitiendo que se ejecuten comandos inyectados. Un atacante que controla los argumentos pasados a spawnSync o spawn con shell: true puede ejecutar comandos arbitrarios del sistema operativo, eludiendo el sistema de permisos de Deno. Esta vulnerabilidad est\u00e1 corregida en 2.7.2."
    }
  ],
  "id": "CVE-2026-32260",
  "lastModified": "2026-03-12T21:07:53.427",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-12T20:16:06.020",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.