CVE-2026-49402
Undergoing Analysis Undergoing Analysis - In Progress
Deno Node Child Process Command Injection

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:child_process implementation provided an escapeShellArg() helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.exe metacharacters and did not neutralize % (which cmd.exe expands even inside double-quoted strings). An attacker who controlled any portion of an argument passed to such a call could inject arbitrary additional commands into the spawned cmd.exe invocation. This vulnerability is fixed in 2.7.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-49402
EUVD
EUVD-2026-38546
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
denoland deno to 2.7.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49402 is a command injection vulnerability in Deno's Windows implementation of the node:child_process module. It occurs when the escapeShellArg() helper function fails to properly escape cmd.exe metacharacters such as &, |, <, >, ^, !, (, ), and %, which cmd.exe expands even inside quoted strings.

This flaw allows an attacker who controls any part of an argument passed to functions like spawn, spawnSync, or exec with shell: true to inject arbitrary additional commands into the spawned cmd.exe invocation, potentially executing malicious commands.

The vulnerability affects Deno versions prior to 2.7.10 and was confirmed on Windows 11 with Deno 2.7.5.

Compliance Impact

This vulnerability allows attackers to execute arbitrary commands remotely without privileges or user interaction, potentially compromising the confidentiality, integrity, and availability of systems running vulnerable versions of Deno on Windows.

Such a compromise could lead to unauthorized access to sensitive data or disruption of services, which may result in non-compliance with common standards and regulations like GDPR and HIPAA that require protection of data confidentiality and system integrity.

Mitigating this vulnerability by updating Deno to version 2.7.10 or later, avoiding the use of `shell: true` on Windows, and sanitizing inputs can help maintain compliance with these standards.

Impact Analysis

This vulnerability can have severe impacts including arbitrary command execution on the affected system.

  • An attacker can execute additional commands remotely without requiring privileges or user interaction.
  • It can compromise confidentiality by allowing unauthorized access to sensitive data.
  • It can affect integrity by enabling unauthorized modification of data or system state.
  • It can impact availability by allowing attackers to disrupt system operations.
Detection Guidance

This vulnerability involves command injection through improperly escaped arguments when using Deno's node:child_process module with shell: true on Windows.

To detect if your system is vulnerable, first check the Deno version. Versions prior to 2.7.10 are affected.

  • Run the command `deno --version` to determine the installed Deno version.

To detect exploitation attempts or suspicious activity, monitor for unusual command executions or processes spawned via cmd.exe that include metacharacters such as &, |, <, >, ^, !, (, ), or % in arguments.

  • On Windows, use PowerShell or command prompt to check running processes: `Get-Process` or `tasklist`.
  • Use system or application logs to identify commands spawned with shell: true that include suspicious metacharacters.
Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Deno to version 2.7.10 or later where the issue is fixed.

If upgrading is not immediately possible, avoid using the shell: true option with spawn, spawnSync, or exec functions on Windows.

Build command arguments directly without relying on shell interpretation to prevent injection.

Filter or sanitize any untrusted input to remove or neutralize cmd.exe metacharacters such as &, |, <, >, ^, !, (, ), and %.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49402. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart