CVE-2025-61787 Overview
CVE-2025-61787 is a Command Injection vulnerability affecting the Deno JavaScript, TypeScript, and WebAssembly runtime on Windows systems. The vulnerability exists because Windows CreateProcess() implicitly spawns cmd.exe when executing batch files (.bat, .cmd, etc.), even when the application does not explicitly specify it via the command line. This behavior allows attackers to inject arbitrary commands when Deno applications execute batch files, potentially leading to full system compromise.
Critical Impact
Attackers can exploit this vulnerability to execute arbitrary commands on Windows systems running vulnerable versions of Deno, potentially gaining unauthorized access, exfiltrating data, or establishing persistence.
Affected Products
- Deno versions prior to 2.5.3
- Deno versions prior to 2.2.15
- Microsoft Windows (all versions when running vulnerable Deno)
Discovery Timeline
- 2025-10-08 - CVE-2025-61787 published to NVD
- 2025-10-16 - Last updated in NVD database
Technical Details for CVE-2025-61787
Vulnerability Analysis
This Command Injection vulnerability (CWE-77) stems from how Windows handles process creation when batch files are involved. When a Deno application attempts to execute a batch file, the Windows CreateProcess() function automatically invokes cmd.exe to interpret the batch file, regardless of whether the calling application intended this behavior. This implicit shell invocation creates an opportunity for command injection if user-controlled input is passed to batch file execution.
The vulnerability is particularly dangerous in scenarios where Deno applications process external input and use it to construct or execute batch file commands. An attacker can craft malicious input containing shell metacharacters that, when processed by cmd.exe, execute additional arbitrary commands beyond the intended batch file operation.
Root Cause
The root cause lies in the Windows operating system's design decision to automatically spawn cmd.exe when CreateProcess() encounters batch file extensions (.bat, .cmd). Prior to the fix, Deno did not validate or restrict the execution of batch files, allowing the implicit shell invocation to occur without warning. This design gap meant that even carefully sandboxed Deno applications could inadvertently expose command injection attack surfaces when interacting with batch files.
Attack Vector
The attack vector is network-accessible with high complexity. An attacker must be able to influence the arguments or content related to batch file execution within a Deno application. This could occur through:
- User-supplied filenames or paths that reference batch files
- Input data that gets incorporated into batch file arguments
- Manipulated environment variables or configuration files that affect batch execution
The attack requires no privileges and no user interaction, making it exploitable in automated environments.
// Security patch from ext/process/lib.rs - Source: GitHub Commit
// This fix rejects running .bat and .cmd files directly on Windows
command: arg_cmd.to_string(),
error: Box::new(e),
})?;
+ #[cfg(windows)]
+ if let Some(ext) = cmd.extension()
+ && (ext == "bat" || ext == "cmd")
+ {
+ return Err(ProcessError::SpawnFailed {
+ command: arg_cmd.to_string(),
+ error: Box::new(
+ std::io::Error::new(
+ std::io::ErrorKind::PermissionDenied,
+ "Use a shell to execute .bat or .cmd files",
+ )
+ .into(),
+ ),
+ });
+ }
check_run_permission(
state,
&RunQueryDescriptor::Path(
Source: GitHub Commit Changes
Detection Methods for CVE-2025-61787
Indicators of Compromise
- Unexpected cmd.exe process spawns originating from Deno runtime processes
- Batch file executions containing suspicious command-line arguments with shell metacharacters (;, &, |, >, <)
- Anomalous network connections or file system modifications following Deno process execution
- Process creation events showing batch file execution with encoded or obfuscated parameters
Detection Strategies
- Monitor process creation events for cmd.exe instances spawned as child processes of deno.exe or Deno-based applications
- Implement YARA rules to detect command injection patterns in batch file arguments within application logs
- Deploy endpoint detection rules that alert on unusual command chaining within batch file executions
- Audit Deno application code for patterns that pass user input to process spawning functions
Monitoring Recommendations
- Enable Windows Security Event logging for process creation (Event ID 4688) with command-line auditing
- Configure SentinelOne behavioral AI to detect anomalous shell command execution patterns
- Implement application-level logging for all subprocess invocations within Deno applications
- Review Deno runtime version inventory across all Windows systems to identify vulnerable deployments
How to Mitigate CVE-2025-61787
Immediate Actions Required
- Upgrade Deno to version 2.5.3 or 2.2.15 immediately on all Windows systems
- Audit existing Deno applications for batch file execution patterns and user-controlled input flows
- Implement input validation and sanitization for any data that may influence process execution
- Consider temporarily disabling batch file execution in Deno applications until patches are applied
Patch Information
Deno has released patched versions that address this vulnerability by explicitly rejecting direct execution of .bat and .cmd files. The fix returns a PermissionDenied error with the message "Use a shell to execute .bat or .cmd files," requiring developers to explicitly handle batch file execution through controlled shell invocations.
Fixed Versions:
For technical details on the fix, refer to the GitHub Pull Request Discussion and the GitHub Security Advisory GHSA-m2gf-x3f6-8hq3.
Workarounds
- Avoid executing batch files directly from Deno applications; instead use PowerShell or explicit shell invocations with proper argument escaping
- Implement allowlist-based validation for any file paths or commands that interact with process execution
- Deploy application-layer firewalls or sandboxing to restrict Deno process capabilities
- Use containerization or virtualization to isolate Deno applications from critical system resources
# Configuration example - Check and upgrade Deno version on Windows
# Verify current Deno version
deno --version
# Upgrade to the latest patched version
deno upgrade
# Or install a specific patched version
deno upgrade --version 2.5.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
