CVE-2025-61787
HIGH EPSS 79.5%
Published Oct 8, 20258mo ago · Modified Jun 17, 20262w ago
8.1 CVSS 3.1
Published Oct 8, 2025 8mo ago
Last Modified Jun 17, 2026 2w ago
Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, ``CreateProcess()`` always implicitly spawns ``cmd.exe`` if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows. Versions 2.5.3 and 2.2.15 fix the issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
79.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-77 Command Injection Injection
Affected Products 3
References 5
- github.com https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822
- github.com https://github.com/denoland/deno/pull/30818
- github.com https://github.com/denoland/deno/releases/tag/v2.2.15
- github.com https://github.com/denoland/deno/releases/tag/v2.5.3
- github.com https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3
Remediation
- github.com https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822
- github.com https://github.com/denoland/deno/pull/30818