CVE-2025-61787

HIGH EPSS 79.5%
Published Oct 8, 20258mo ago · Modified Jun 17, 20262w ago
8.1 CVSS 3.1
High
Find Similar
Published Oct 8, 2025 8mo ago
Last Modified Jun 17, 2026 2w ago

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, ``CreateProcess()`` always implicitly spawns ``cmd.exe`` if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows. Versions 2.5.3 and 2.2.15 fix the issue.

CVSS Details

Base Score
8.1
Exploitability
2.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
79.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-77 Command Injection Injection

Affected Products 3

VendorProductVersionRange
denodeno* ≤2.2.15
denodeno*≥2.3.0  –  <2.5.3
microsoftwindows*any

References 5

  • github.com https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822
    Patch
  • github.com https://github.com/denoland/deno/pull/30818
    Issue TrackingPatch
  • github.com https://github.com/denoland/deno/releases/tag/v2.2.15
    Release Notes
  • github.com https://github.com/denoland/deno/releases/tag/v2.5.3
    Release Notes
  • github.com https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822
    Patch
  • github.com https://github.com/denoland/deno/pull/30818
    Issue TrackingPatch