Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

Related CPE's

a

deno

deno

Vulnerable

References

https://github.com/denoland/deno/releases/tag/v2.5.6

Release Notes

https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6

ExploitVendor Advisory

Weaknesses

[email protected]

Primary
CWE-77

CVSS impact metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 · High

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2026-01-15T23:15:51.937Z

1 month ago

Last modified

2026-01-21T14:32:39.837Z

1 month ago