QwikSec

Security Database

CVE

CWE

Training

CVE-2025-61787

Published: Oct 8, 2025

Modified: Oct 8, 2025

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, ``CreateProcess()`` always implicitly spawns ``cmd.exe`` if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows. Versions 2.5.3 and 2.2.15 fix the issue.

Vendor	Product	Versions
denoland	deno	affected `>= 2.3.0, < 2.5.3` affected `< 2.2.15`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3

x_refsource_CONFIRM

https://github.com/denoland/deno/pull/30818

x_refsource_MISC

https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822

x_refsource_MISC

https://github.com/denoland/deno/releases/tag/v2.2.15

x_refsource_MISC

https://github.com/denoland/deno/releases/tag/v2.5.3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.