CVE-2025-61787
Published: 08 October 2025
Description
Adversaries may abuse the Windows command shell for execution.
Security Summary
CVE-2025-61787 is a command line injection vulnerability (CWE-77) affecting Deno, a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable on Windows systems specifically when batch files (.bat, .cmd, etc.) are executed. The issue stems from the Windows CreateProcess() API, which implicitly spawns cmd.exe for batch file execution regardless of whether the application specifies it, enabling command injection attacks in Deno. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Attackers can exploit this vulnerability remotely over the network without privileges or user interaction, though it requires high attack complexity. Exploitation occurs when Deno processes a maliciously crafted batch file, allowing injection of arbitrary commands via cmd.exe. Successful attacks can result in high-impact confidentiality, integrity, and availability violations, potentially enabling full system compromise on affected Windows hosts running vulnerable Deno versions.
Deno advisories and release notes recommend upgrading to version 2.5.3 or 2.2.15, which address the issue through targeted fixes documented in the associated GitHub commit, pull request, and security advisory. No additional workarounds are specified beyond applying these patches.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables remote exploitation of a public-facing Deno application (T1190) leading to command injection and arbitrary execution via Windows Command Shell (cmd.exe, T1059.003).