CVE-2026-22864
Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass
Description
### Summary A prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched `.bat` or `.cmd`. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example `.BAT, .Bat`, etc.). ### POC ```javascript const command = new Deno.Command('./test.BAT', { args: ['&calc.exe'], }); const child = command.spawn(); ``` This causes `calc.exe` to be launched; see the attached screenshot for evidence. **Patched in `CVE-2025-61787` — prevents execution of `.bat` and `.cmd` files:**  **Bypass of the patched vulnerability:**  ### Impact The script launches calc.exe on Windows, demonstrating that passing user-controlled arguments to a spawned batch script can result in command-line injection. ### Mitigation Users should update to Deno v2.5.6 or newer.
How to fix CVE-2026-22864
To remediate CVE-2026-22864, upgrade the affected package to a fixed version below.
- —upgrade to 2.5.6 or later
Is CVE-2026-22864 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.5.6