EXECUTIVE SUMMARY:
A recently disclosed vulnerability in the Deno runtime environment affects Windows systems and is tracked as CVE-2025-61787 with a CVSS score of 8.1. The flaw allows command injection when batch files are executed through Denos process APIs, enabling attackers to run arbitrary commands outside the intended context. The issue stems from how the Windows CreateProcess () API implicitly invokes the command interpreter (cmd.exe) when handling batch files, creating a pathway for exploitation if user-supplied arguments are passed to scripts. Researchers demonstrated the exploit using both Node.jss child_process module and Deno.Command.spawn (), where malicious arguments like &calc.exe trigger unintended command execution. The vulnerability impacts all Deno versions up to 2.5.1 across Windows environments. Developers are advised to upgrade to a secure release to mitigate the risk.
RECOMMENDATION:
We strongly recommend you update Deno runtime environment for Windows systems to below version:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/high-severity-deno-flaw-cve-2025-61787-allows-command-injection-on-windows/