{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22864", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-12T16:20:16.746Z", "datePublished": "2026-01-15T22:58:52.463Z", "dateUpdated": "2026-01-16T17:16:02.143Z"}, "containers": {"cna": {"title": "Deno has an incomplete fix for command-injection prevention on Windows \u2014 case-insensitive extension bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6"}, {"name": "https://github.com/denoland/deno/releases/tag/v2.5.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/denoland/deno/releases/tag/v2.5.6"}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"version": "< 2.5.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T22:58:52.463Z"}, "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path\u2019s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6."}], "source": {"advisory": "GHSA-m3c4-prhw-mrx6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T17:15:35.078037Z", "id": "CVE-2026-22864", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T17:16:02.143Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22864", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-16T17:15:35.078037Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T17:15:51.216Z"}}], "cna": {"title": "Deno has an incomplete fix for command-injection prevention on Windows \u2014 case-insensitive extension bypass", "source": {"advisory": "GHSA-m3c4-prhw-mrx6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "denoland", "product": "deno", "versions": [{"status": "affected", "version": "< 2.5.6"}]}], "references": [{"url": "https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6", "name": "https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/denoland/deno/releases/tag/v2.5.6", "name": "https://github.com/denoland/deno/releases/tag/v2.5.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path\u2019s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T22:58:52.463Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22864", "state": "PUBLISHED", "dateUpdated": "2026-01-16T17:16:02.143Z", "dateReserved": "2026-01-12T16:20:16.746Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-15T22:58:52.463Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*", "matchCriteriaId": "D302E8AF-7ACC-4470-B0AB-B865727AE026", "versionEndExcluding": "2.5.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path\u2019s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6."}], "id": "CVE-2026-22864", "lastModified": "2026-01-21T14:32:39.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-15T23:15:51.937", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/denoland/deno/releases/tag/v2.5.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:53:19.347819+00:00", "value": {"mitigation_remediation": ["Update Deno to version 2.5.6 or later.", "If an update cannot be applied immediately, restrict the allowed extensions for spawned paths to a whitelist that excludes .bat and .cmd in any case variation.", "Apply input validation to ensure that any value passed to spawn functions is sanitized and does not contain disallowed extensions, thereby mitigating the underlying command injection flaw."], "summary": {"action": "Immediate Patch", "impact": "Command Injection leading to Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Deno, the JavaScript/TypeScript runtime, is affected in all releases prior to version 2.5.6. Updating to 2.5.6 or later resolves the issue.", "description_and_impact": "A case-sensitive check intended to block Windows batch files only compares against lowercase literals, allowing attackers to bypass it by using alternate casing such as .BAT or .Bat. This flaw enables spawning of arbitrary Windows shell commands, resulting in remote code execution. The weakness aligns with CWE-77, known for command injection scenarios.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity, while the EPSS of less than 1% suggests a low yet non-zero likelihood of exploitation. Because the flaw permits arbitrary command execution on Windows when an untrusted path is passed to spawn, an attacker who can influence the spawned path\u2014such as through a remote code execution vector or local privilege\u2014could elevate privileges or take full control of the host. The vulnerability is not listed in the CISA KEV catalog, but the high impact and potential for widespread exploitation warrant immediate attention."}}}}, "created": "2026-01-16T13:42:09.193327+00:00", "updated": "2026-04-18T06:00:08.492733+00:00", "vendors": ["deno", "deno$PRODUCT$deno"]}