Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-61787

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, ``CreateProcess()`` always implicitly spawns ``cmd.exe`` if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows. Versions 2.5.3 and 2.2.15 fix the issue.

Published

2025-10-08T02:15:41.897

Last Modified

2025-10-16T18:14:53.107

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

Weaknesses

Type: Secondary
CWE-77

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	deno	deno	≤ 2.2.15	Yes
Application	deno	deno	< 2.5.3	Yes
Operating System	microsoft	windows	-	No

References

https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822 Patch ([email protected])
https://github.com/denoland/deno/pull/30818 Issue Tracking, Patch ([email protected])
https://github.com/denoland/deno/releases/tag/v2.2.15 Release Notes ([email protected])
https://github.com/denoland/deno/releases/tag/v2.5.3 Release Notes ([email protected])
https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3 Exploit, Vendor Advisory ([email protected])