Can you explain this vulnerability to me?

This vulnerability in Deno versions prior to 2.5.6 is a command injection issue on Windows systems. A prior patch tried to block spawning Windows batch or shell files by checking if the file extension was '.bat' or '.cmd' using a case-sensitive comparison against lowercase literals. However, this check could be bypassed by using alternate casing in the file extension (e.g., '.BAT', '.Bat'), allowing malicious batch scripts to be executed. This means attackers could run arbitrary commands by exploiting this casing bypass. [2]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows remote attackers to perform command injection on affected Deno versions without requiring privileges or user interaction. Exploiting it can lead to execution of arbitrary commands, potentially compromising the confidentiality, integrity, and availability of the system running Deno. This high severity impact means attackers could take control of the system or disrupt its operation. [2]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking if your Deno installation version is prior to 2.5.6. Additionally, you can test if spawning batch files with alternate casing extensions (e.g., .BAT, .Bat) is possible. For example, attempt to spawn a command like './test.BAT' that executes a harmless command such as 'calc.exe' on Windows. If this executes, your system is vulnerable. [2]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade Deno to version 2.5.6 or later, which includes a fix that enforces case-insensitive checks on batch file extensions to block execution regardless of casing. [2]

Useful 0 Not Useful 0