Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32260 is a high-severity command injection vulnerability in Deno's node:child_process polyfill when using shell: true mode. It affects Deno versions 2.7.0 and 2.7.1 and was fixed in version 2.7.2."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the argument sanitization function transformDenoShellCommand improperly wraps arguments containing a $VAR pattern in double quotes instead of single quotes. In POSIX shells, double quotes do not prevent backtick command substitution, which allows an attacker to inject and execute arbitrary OS commands.'}, {'type': 'paragraph', 'content': "An attacker who controls arguments passed to spawn or spawnSync with shell: true can exploit this to bypass Deno's permission system and run arbitrary commands on the operating system."}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to arbitrary OS command execution by an attacker who controls input to spawn or spawnSync functions with shell: true in Deno.'}, {'type': 'paragraph', 'content': "Such command injection can compromise the confidentiality, integrity, and availability of your system, as attackers can run unauthorized commands outside of Deno's permission sandbox."}, {'type': 'paragraph', 'content': 'The vulnerability requires only the --allow-run permission and no user interaction or privileges, making it easier for attackers to exploit.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability occurs when user-controlled input is passed to Deno's node:child_process spawn or spawnSync functions with shell: true mode, leading to command injection. Detection involves identifying usage of these functions with shell: true and untrusted input."}, {'type': 'paragraph', 'content': 'Since the vulnerability is in Deno versions 2.7.0 and 2.7.1, checking the Deno version installed on your system is a primary step.'}, {'type': 'list_item', 'content': 'Run `deno --version` to determine if your Deno runtime is version 2.7.0 or 2.7.1.'}, {'type': 'list_item', 'content': 'Audit your codebase for usage of `spawn` or `spawnSync` from the node:child_process polyfill with the option `shell: true`.'}, {'type': 'list_item', 'content': 'Look for instances where arguments passed to these functions include variables or user input that might contain shell metacharacters like `$VAR` or backticks.'}, {'type': 'paragraph', 'content': 'There are no specific network detection commands provided, as this is a runtime code injection vulnerability rather than a network-based exploit.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Deno to version 2.7.2 or later where the issue is fixed.

If upgrading is not immediately possible, avoid passing user-controlled input to spawn or spawnSync functions with shell: true.

• Use `shell: false` (the default) instead of `shell: true` when calling spawn or spawnSync to prevent shell command injection.
• Properly validate and sanitize all inputs that might be passed to these functions to ensure no shell metacharacters or command substitution patterns are present.

Restrict the use of the --allow-run permission in Deno to trusted code only, as this vulnerability requires that permission to be exploitable.

Useful 0 Not Useful 0