Command Line Injection Vulnerability in Deno by Denoland
CVE-2025-61787

8.1HIGH

Key Information:

Vendor

Denoland

Status
Deno
Vendor
CVE Published:
8 October 2025

What is CVE-2025-61787?

Deno, a runtime for JavaScript, TypeScript, and WebAssembly, is susceptible to Command Line Injection attacks on Windows systems due to the way batch files are processed. When executing batch files, the CreateProcess() function automatically invokes cmd.exe, which can be exploited if an attacker carefully crafts command inputs. Versions 2.5.3 and 2.2.15 of Deno address this vulnerability, ensuring that the application mitigates the risk of unauthorized command execution.

Affected Version(s)

deno >= 2.3.0, < 2.5.3 < 2.3.0, 2.5.3

deno < 2.2.15 < 2.2.15

References

https://github.com/denoland/deno/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/denoland/deno/pull/30818
x_refsource_MISC
https://github.com/denoland/deno/commit/8a0990ccd37bafd87...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61787 : Command Line Injection Vulnerability in Deno by Denoland