CVE-2025-61787
BaseFortify
Publication date: 2025-10-08
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| deno | deno | to 2.2.15 (inc) |
| deno | deno | From 2.3.0 (inc) to 2.5.3 (exc) |
| microsoft | windows | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Deno versions prior to 2.5.3 and 2.2.15 on Windows. When batch files (.bat, .cmd, etc.) are executed, Windows' CreateProcess() function implicitly spawns cmd.exe, even if not specified. This behavior allows an attacker to perform command line injection attacks, potentially executing arbitrary commands through Deno.
How can this vulnerability impact me? :
The vulnerability can lead to an attacker executing arbitrary commands on a Windows system running vulnerable versions of Deno. This can result in full compromise of confidentiality, integrity, and availability of the affected system, as indicated by the high CVSS score (8.1) with high impact on confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Deno to version 2.5.3 or later (for the 2.5.x branch) or 2.2.15 or later (for the 2.2.x branch) to fix the command line injection vulnerability on Windows.