Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-49402

CVE-2026-49402: Deno Runtime RCE Vulnerability

CVE-2026-49402 is a remote code execution flaw in Deno Runtime affecting Windows systems through improper shell argument escaping. Attackers can inject commands via child_process calls. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-49402 Overview

CVE-2026-49402 is a command injection vulnerability in Deno, the JavaScript, TypeScript, and WebAssembly runtime. The flaw resides in the node:child_process implementation, specifically the escapeShellArg() helper used when callers pass shell: true to spawn, spawnSync, exec, and related APIs. On Windows, the helper fails to quote arguments containing cmd.exe metacharacters and does not neutralize %, which cmd.exe expands even inside double-quoted strings. Attackers who control any portion of an argument can inject arbitrary commands into the spawned cmd.exe process. The issue is fixed in Deno 2.7.10 and is tracked under [CWE-78] (OS Command Injection).

Critical Impact

Attacker-controlled input passed to shell-enabled child_process calls on Windows can execute arbitrary commands with the privileges of the Deno process.

Affected Products

  • Deno runtime versions prior to 2.7.10
  • Deno applications on Windows using node:child_process with shell: true
  • Deno applications relying on escapeShellArg() for argument sanitization

Discovery Timeline

  • 2026-06-23 - CVE-2026-49402 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-49402

Vulnerability Analysis

The vulnerability stems from improper argument escaping in Deno's Node.js compatibility layer. When a caller invokes spawn, spawnSync, or exec with the shell: true option on Windows, Deno serializes arguments through an internal escapeShellArg() routine before handing them to cmd.exe. The routine wraps arguments in double quotes but does not handle the full set of cmd.exe metacharacters and leaves % characters unescaped.

Unlike POSIX shells, cmd.exe performs environment variable expansion on %VAR% sequences inside double-quoted strings. Combined with unquoted metacharacters such as &, |, ^, and <, an attacker can break out of the intended argument boundary and append additional commands to the spawned shell invocation. The vulnerability is classified under [CWE-78].

Root Cause

The escapeShellArg() helper was designed against POSIX shell semantics and does not account for the parsing rules of Windows cmd.exe. Two defects compound the issue: missing quoting for cmd.exe-specific metacharacters, and the absence of any neutralization for %, which triggers variable expansion regardless of quoting. The result is incomplete sanitization of attacker-controlled substrings within otherwise legitimate command arguments.

Attack Vector

Exploitation requires an application that forwards untrusted input into a child_process call with shell: true while running on Windows. An attacker supplies a string that closes the current argument and chains additional cmd.exe commands using metacharacters or environment variable expansion. The injected payload executes within the same cmd.exe invocation, inheriting the privileges of the Deno process.

No public proof-of-concept is referenced in the advisory. Refer to the GitHub Security Advisory GHSA-7xh3-mhg9-jcw8 for the maintainers' description of the flaw and the patch.

Detection Methods for CVE-2026-49402

Indicators of Compromise

  • Unexpected cmd.exe child processes spawned by deno.exe containing metacharacters such as &, |, ^, or % in the command line.
  • Outbound network connections or file system modifications initiated from cmd.exe processes parented to a Deno runtime.
  • Process command lines where user-supplied input appears adjacent to cmd.exe control characters inside arguments to spawn, exec, or spawnSync.

Detection Strategies

  • Audit application source for calls to child_process.spawn, spawnSync, exec, or execFile that pass shell: true together with externally sourced data.
  • Hunt Windows endpoint telemetry for deno.execmd.exe process chains where the child command line contains shell metacharacters not present in the parent application's expected templates.
  • Compare deployed Deno binary versions against the fixed release 2.7.10 across all Windows hosts.

Monitoring Recommendations

  • Enable Windows process creation auditing (Event ID 4688) with full command-line logging to capture invocations of cmd.exe spawned by deno.exe.
  • Forward endpoint process telemetry to a centralized SIEM and alert on cmd.exe children of Deno containing %, &&, ||, or | sequences outside known-good patterns.
  • Track Deno runtime version inventory and flag any host running a release earlier than 2.7.10.

How to Mitigate CVE-2026-49402

Immediate Actions Required

  • Upgrade all Deno installations on Windows to version 2.7.10 or later.
  • Inventory application code for child_process calls using shell: true and confirm whether untrusted input reaches those calls.
  • Restart long-running Deno services after upgrading to ensure the patched runtime is loaded.

Patch Information

The vulnerability is fixed in Deno 2.7.10. The maintainers corrected the escapeShellArg() helper to properly quote cmd.exe metacharacters and neutralize % expansion on Windows. Release details and the underlying fix are documented in the Deno GitHub Security Advisory GHSA-7xh3-mhg9-jcw8.

Workarounds

  • Avoid passing shell: true to node:child_process APIs and invoke binaries directly with an argument array instead.
  • Validate or allowlist user-controlled input before it reaches any shell-enabled spawn call, rejecting strings containing cmd.exe metacharacters such as &, |, ^, <, >, and %.
  • Run Deno services on Windows under least-privilege accounts to limit the impact of any successful command injection until patching is complete.
bash
# Verify the running Deno version on Windows
deno --version

# Upgrade to the patched release
deno upgrade --version 2.7.10

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.