CVE-2026-32260

Description

## Summary A command injection vulnerability exists in Deno's `node:child_process` polyfill (`shell: true` mode) that bypasses the fix for CVE-2026-27190 (GHSA-hmh4-3xvx-q5hr). An attacker who controls arguments passed to `spawnSync` or `spawn` with `shell: true` can execute arbitrary OS commands, bypassing Deno's permission system. **Affected versions:** Deno v2.7.0, v2.7.1 ## Details The two-stage argument sanitization in `transformDenoShellCommand` (`ext/node/polyfills/internal/child_process.ts`) has a priority bug: when an argument contains a `$VAR` pattern, it is wrapped in double quotes (L1290) instead of single quotes (L1293). Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. Attack chain: 1. `escapeShellArg` wraps the argument in single quotes (safe) 2. `op_node_parse_shell_args` strips the single-quote delimiters during tokenization (raw argument exposed) 3. Re-quoting detects `$VAR` pattern → applies double quotes 4. Backtick payload inside double quotes executes via `/bin/sh` ## Impact **OS Command Injection (CWE-78)**. Any application using `node:child_process` `spawn`/`spawnSync` with `shell: true` and user-controlled arguments is vulnerable. Injected commands execute at the OS process level, outside Deno's permission sandbox. Only `--allow-run` is required. ## Mitigation Avoid passing user-controlled input as arguments to `spawn`/`spawnSync` with `shell: true`. Use `shell: false` (the default) instead, or validate/sanitize inputs before passing them.

How to fix CVE-2026-32260

To remediate CVE-2026-32260, upgrade the affected package to a fixed version below.

• —upgrade to 2.7.2 or later

Is CVE-2026-32260 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 2.7.0, < 2.7.2