CVE-2026-22864

Опубликовано: 15 янв. 2026

Источник: nvd

CVSS3: 8.1

CVSS3: 9.8

EPSS Низкий

Описание

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

Ссылки

https://github.com/denoland/deno/releases/tag/v2.5.6
Release Notes
https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*

Версия до 2.5.6 (исключая)

EPSS

Процентиль: 19%

0.00061

Низкий

8.1 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-77

Связанные уязвимости

GHSA-m3c4-prhw-mrx6

CVSS3: 8.1

github

22 дня назад

Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass

EPSS

Процентиль: 19%

0.00061

Низкий

8.1 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-77