8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-61787

CVE-2025-61787: Deno is Vulnerable to Command Injection on Windows During Batch File Execution

Summary

Deno versions up to 2.5.1 are vulnerable to Command Line Injection attacks on Windows when batch files are executed.

Details

In Windows, CreateProcess() always implicitly spawns cmd.exe if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows as demonstrated by the two proves-of-concept below.

PoC

Using node:child_process (with the env and run permissions):

const { spawn } = require('node:child_process');
const child = spawn('./test.bat', ['&calc.exe']);

Using Deno.Command.spawn() (with the run permission):

const command = new Deno.Command('./test.bat', {
  args: ['&calc.exe'],
});
const child = command.spawn();

Impact

Both of these scripts result in opening calc.exe on Windows, thus allowing a Command Line Injection attack when user-provided arguments are passed if the script being executed by the child process is a batch script.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-61787

CVE-2025-61787:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
deno	rust	< 2.5.2	2.5.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in how Deno's Deno.Command.spawn() and node:child_process.spawn() APIs handle file execution on Windows. The root cause is that when a batch file (.bat or .cmd) is executed, the Windows CreateProcess() function implicitly involves cmd.exe, which can lead to command injection if arguments are not properly sanitized. The provided patch addresses this by explicitly disallowing the direct execution of .bat and .cmd files within the compute_run_cmd_and_check_permissions function in ext/process/lib.rs. This function is a key part of the command execution pipeline, and the added check prevents the vulnerability from being triggered. The test file tests/unit/command_test.ts was also updated with a new test case, rejectBatAndCmdFiles, to verify the fix. Therefore, the compute_run_cmd_and_check_permissions function is the precise location of the vulnerable code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-61787: Deno is Vulnerable to Command Injection on Windows During Batch File Execution

Summary

Details

PoC

Impact

CVE-2025-61787:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-61787: Deno is Vulnerable to Command Injection on Windows During Batch File Execution

Summary

Details

PoC

Impact

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.1

8.1

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI