CVE-2025-61787HIGH 8.1EPSS p79.4%

CVE-2025-61787CVE-2025-61787

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, ``CreateProcess()`` always implicitly spawns ``cmd.exe`` if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows. Versions 2.5.3 and 2.2.15 fix the issue.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS2.11% probability of exploitation · percentile 79.4% · 2026-06-19T12:03:05Z
Published2025-10-08
Last modified2025-10-16

Underlying weaknesses· 1

CWE-77

References

  1. https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822
  2. https://github.com/denoland/deno/pull/30818
  3. https://github.com/denoland/deno/releases/tag/v2.2.15
  4. https://github.com/denoland/deno/releases/tag/v2.5.3
  5. https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-27190
CVE
CVE-2026-22864
CVE
CVE-2026-32260
CVE
CVE-2025-48935
CVE
CVE-2026-21256
CVE
CVE-2026-11417
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.