VYPR
← All advisories
High severity8.1GHSA Advisory· Published Jun 16, 2026· Updated Jun 16, 2026

Deno: Command Injection via spawnSync & spawn on Windows

CVE-2026-49402

Description

Deno's node:child_process on Windows fails to escape cmd.exe metacharacters in escapeShellArg(), allowing command injection via shell: true.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Deno's `node:child_process` on Windows fails to escape `cmd.exe` metacharacters in `escapeShellArg()`, allowing command injection via `shell: true`.

Vulnerability

Deno's node:child_process implementation on Windows provides an escapeShellArg() helper used when callers pass shell: true to spawn, spawnSync, exec, and related functions. The helper uses a regex (/["\\]/) that only checks for whitespace, double-quote, and backslash, failing to quote arguments containing cmd.exe metacharacters such as &, |, <, >, ^, !, (, ). Additionally, % characters are not neutralized, allowing environment-variable expansion even inside double-quoted strings. This affects Deno versions prior to 2.7.10 on Windows [1][2].

Exploitation

An attacker who controls any portion of an argument passed to a child_process function with shell: true can inject arbitrary commands. No authentication or special privileges are required if the attacker can supply input to the Deno process. For example, passing "test&calc.exe" as an argument to spawnSync("echo", [maliciousInput], { shell: true }) causes cmd.exe to execute calc.exe after the echo command. The same technique works with other metacharacters like |, <, >, ^, !, (, and ) [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the Windows host with the same privileges as the Deno process. This can lead to data exfiltration, installation of malware, or full system compromise. The vulnerability is the Windows counterpart to CVE-2026-27190, which addressed the same issue on Unix [1][2].

Mitigation

The vulnerability is fixed in Deno version 2.7.10, released shortly after disclosure. Users should update to this version or later. As a workaround, avoid using shell: true with untrusted input, or manually sanitize arguments to escape all cmd.exe metacharacters and double % signs. No other mitigations are available [1][2].

References
  1. CVE-2026-49402 - GitHub Advisory Database
  2. Command Injection via spawnSync & spawn on Windows

AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `escapeShellArg()` helper on Windows only quoted arguments containing whitespace, double-quote, or backslash, failing to neutralize `cmd.exe` metacharacters like `&`, `|`, `<`, `>`, `^`, `!`, `(`, `)`, and `%`."

Attack vector

An attacker who controls any portion of an argument passed to `spawn`, `spawnSync`, or `exec` with `shell: true` on Windows can inject arbitrary commands. The shell invocation runs via `cmd.exe /d /s /c "<command line>"`, and because `escapeShellArg()` only quotes arguments containing whitespace, double-quote, or backslash, an argument like `"test&calc.exe"` is returned unquoted. The `&` character is then interpreted by `cmd.exe` as a command separator, allowing the attacker to chain additional commands. The same injection works with `|`, `<`, `>`, `^`, `!`, `(`, and `)`. Even when arguments are quoted, `%FOO%` environment-variable references are expanded by `cmd.exe` inside double-quoted strings, potentially leaking sensitive data. [CWE-77] [ref_id=1] [ref_id=2]

Affected code

The `escapeShellArg()` helper in Deno's `node:child_process` implementation on Windows used the regex `/["\\]/` to decide whether to quote an argument. This regex only matched whitespace, double-quote, and backslash, so any argument containing `cmd.exe` metacharacters such as `&`, `|`, `<`, `>`, `^`, `!`, `(`, `)` — but none of those three characters — was returned unquoted and interpreted by the shell. Additionally, `%` was not neutralized, allowing environment-variable expansion even inside double-quoted strings.

What the fix does

The advisory does not include a patch diff, but the fix must extend the `escapeShellArg()` regex on Windows to detect all `cmd.exe` metacharacters (`&`, `|`, `<`, `>`, `^`, `!`, `(`, `)`, `%`) and either quote the argument or reject it. Additionally, `%` must be doubled or rejected to prevent environment-variable expansion inside double-quoted strings. The advisory notes that the Unix branch was already fixed under CVE-2026-27190. [ref_id=1] [ref_id=2]

Preconditions

  • configThe Deno process must be running on Windows
  • configThe call must use `shell: true` (the default is `shell: false`)
  • inputThe attacker must control at least part of an argument passed to `spawn`, `spawnSync`, or `exec`

Reproduction

```js import { spawnSync } from "node:child_process";

const maliciousInput = "test&calc.exe"; const result = spawnSync("echo", [maliciousInput], { shell: true, encoding: "utf-8", }); console.log(result); ``` Observed: `calc.exe` launched as a side effect of the `echo` call. [ref_id=1] [ref_id=2]

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.