CVE-2026-32260
published 2026-03-12CVE-2026-32260: Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.48%
70.7th percentile
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| deno | deno | >= 2.7.0 < 2.7.2 | 2.7.2 |
| deno | deno | >= 2.7.0 < 2.7.2 | 2.7.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable code path is in the `transformDenoShellCommand` function within `ext/node/polyfills/internal/child_process.ts`. Monitor for use of `spawn`/`spawnSync` with `shell: true` in Deno environments running versions 2.7.0–2.7.1. ↗
- →Detect backtick command substitution patterns (`` `...` ``) in arguments passed to child_process `spawn`/`spawnSync` with `shell: true` in Deno's node compatibility layer, as double-quote wrapping does not suppress backtick execution in POSIX sh. ↗
- →Alert on child_process calls (`spawnSync` or `spawn`) with `shell: true` where arguments contain `$VAR` patterns, as these trigger the vulnerable double-quote wrapping code path (L1290) instead of safe single-quote wrapping. ↗
- ·The vulnerability only manifests when `shell: true` is passed to `spawn` or `spawnSync` in Deno's `node:child_process` polyfill. Calls without `shell: true` are not affected. ↗
- ·This is a bypass of the prior fix for CVE-2026-27190; environments that applied the CVE-2026-27190 patch but have not yet upgraded to Deno 2.7.2 remain vulnerable. ↗
- ·The priority bug specifically triggers on arguments containing a `$VAR` pattern — these are wrapped in double quotes at L1290 instead of single quotes, making only that subset of arguments exploitable via backtick substitution. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
ghsa·2026-03-13·CVSS 9.8
CVE-2026-32260 [CRITICAL] CWE-78 Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
## Summary
A command injection vulnerability exists in Deno's `node:child_process` polyfill (`shell: true` mode) that bypasses the fix
for CVE-2026-27190 (GHSA-hmh4-3xvx-q5hr). An attacker who controls arguments passed to `spawnSync` or `spawn` with `shell:
true` can execute arbitrary OS commands, bypassing Deno's permission system.
**Affected versions:** Deno v2.7.0, v2.7.1
## Details
The two-stage argument sanitization in `transformDenoShellCommand` (`ext/node/polyfills/internal/child_process.ts`) has a
priority bug: when an argument contains a `$VAR` pattern, it is wrapped in double quotes (L1290) instead of single quotes
(L1293). Double quotes in POSIX sh do not suppress backtic
OSV
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
osv·2026-03-13·CVSS 9.8
CVE-2026-32260 [CRITICAL] Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process
## Summary
A command injection vulnerability exists in Deno's `node:child_process` polyfill (`shell: true` mode) that bypasses the fix
for CVE-2026-27190 (GHSA-hmh4-3xvx-q5hr). An attacker who controls arguments passed to `spawnSync` or `spawn` with `shell:
true` can execute arbitrary OS commands, bypassing Deno's permission system.
**Affected versions:** Deno v2.7.0, v2.7.1
## Details
The two-stage argument sanitization in `transformDenoShellCommand` (`ext/node/polyfills/internal/child_process.ts`) has a
priority bug: when an argument contains a `$VAR` pattern, it is wrapped in double quotes (L1290) instead of single quotes
(L1293). Double quotes in POSIX sh do not suppress backtic
No detection rules found.
No public exploits indexed.
2026-03-12
Published