GHSA-4C96-W8V2-P28J

Vulnerability from github – Published: 2026-03-13 20:02 – Updated: 2026-03-13 20:02
VLAI?
Summary
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
Details

Summary

A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190 (GHSA-hmh4-3xvx-q5hr). An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system.

Affected versions: Deno v2.7.0, v2.7.1

## Details

The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes (L1293). Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute.

Attack chain: 1. escapeShellArg wraps the argument in single quotes (safe) 2. op_node_parse_shell_args strips the single-quote delimiters during tokenization (raw argument exposed) 3. Re-quoting detects $VAR pattern → applies double quotes 4. Backtick payload inside double quotes executes via /bin/sh

## Impact

OS Command Injection (CWE-78). Any application using node:child_process spawn/spawnSync with shell: true and user-controlled arguments is vulnerable. Injected commands execute at the OS process level, outside Deno's permission sandbox. Only --allow-run is required.

## Mitigation

Avoid passing user-controlled input as arguments to spawn/spawnSync with shell: true. Use shell: false (the default) instead, or validate/sanitize inputs before passing them.

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32260"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T20:02:18Z",
    "nvd_published_at": "2026-03-12T20:16:06Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n  A command injection vulnerability exists in Deno\u0027s `node:child_process` polyfill (`shell: true` mode) that bypasses the fix\n  for CVE-2026-27190 (GHSA-hmh4-3xvx-q5hr). An attacker who controls arguments passed to `spawnSync` or `spawn` with `shell:\n  true` can execute arbitrary OS commands, bypassing Deno\u0027s permission system.\n\n  **Affected versions:** Deno v2.7.0, v2.7.1\n\n  ## Details\n\n  The two-stage argument sanitization in `transformDenoShellCommand` (`ext/node/polyfills/internal/child_process.ts`) has a\n  priority bug: when an argument contains a `$VAR` pattern, it is wrapped in double quotes (L1290) instead of single quotes\n  (L1293). Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute.\n\n  Attack chain:\n  1. `escapeShellArg` wraps the argument in single quotes (safe)\n  2. `op_node_parse_shell_args` strips the single-quote delimiters during tokenization (raw argument exposed)\n  3. Re-quoting detects `$VAR` pattern \u2192 applies double quotes\n  4. Backtick payload inside double quotes executes via `/bin/sh`\n\n  ## Impact\n\n  **OS Command Injection (CWE-78)**. Any application using `node:child_process` `spawn`/`spawnSync` with `shell: true` and\n  user-controlled arguments is vulnerable. Injected commands execute at the OS process level, outside Deno\u0027s permission\n  sandbox. Only `--allow-run` is required.\n\n  ## Mitigation\n\n  Avoid passing user-controlled input as arguments to `spawn`/`spawnSync` with `shell: true`. Use `shell: false` (the default)\n  instead, or validate/sanitize inputs before passing them.",
  "id": "GHSA-4c96-w8v2-p28j",
  "modified": "2026-03-13T20:02:18Z",
  "published": "2026-03-13T20:02:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32260"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.