Command Line Injection Vulnerability in Deno by Denoland
CVE-2025-61787
What is CVE-2025-61787?
CVE-2025-61787 is a command line injection vulnerability found in Deno, a modern runtime for executing JavaScript, TypeScript, and WebAssembly applications. This vulnerability specifically affects versions prior to 2.5.3 and 2.2.15 of Deno when operating on Windows systems. The issue arises from the way Windows handles batch file execution; when a batch file is executed, the CreateProcess() function implicitly spawns cmd.exe, allowing malicious actors to inject arbitrary commands through crafted inputs. This can lead to unauthorized command execution on the system, posing a significant risk to organizations that rely on Deno for their application development and deployment.
The impact of this vulnerability can be particularly severe, as it provides an attack vector for malicious users to execute arbitrary commands with the same privileges as the Deno process. As Deno is often used to develop and run applications in various environments, the ramifications of an exploitation could result in unauthorized access, data manipulation, or system compromises, thereby undermining the security posture of affected organizations.
Potential Impact of CVE-2025-61787
-
Unauthorized Command Execution: Attackers can exploit this vulnerability to execute arbitrary commands on a compromised system, potentially leading to unauthorized access or control of sensitive resources.
-
Data Breach Risks: Through command injection, attackers might manipulate or exfiltrate sensitive data, leading to confidentiality breaches and the loss of critical organizational information.
-
System Compromise: Successful exploitation could allow adversaries to install additional malware or other malicious payloads, escalating the threat level and leading to further attacks against the organization’s infrastructure.
Affected Version(s)
deno >= 2.3.0, < 2.5.3 < 2.3.0, 2.5.3
deno < 2.2.15 < 2.2.15