SB20260423126 - Multiple vulnerabilities in Deno

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260423126

SB20260423126 - Multiple vulnerabilities in Deno

Published: April 23, 2026

Security Bulletin ID SB20260423126
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Command injection (CVE-ID: CVE-2025-61787)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to command injection in batch file execution on Windows when passing user-provided arguments to an executed batch script. A remote attacker can supply a specially crafted argument to execute arbitrary commands.

Exploitation occurs when a child process executes a batch file such as a .bat or .cmd file on Windows.


2) Incorrect Privilege Assignment (CVE-ID: CVE-2025-61785)

CWE-ID: CWE-266 - Incorrect Privilege Assignment

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass the write permission model and modify file timestamps.

The vulnerability exists due to incorrect privilege assignment in Deno.FsFile.prototype.utime and Deno.FsFile.prototype.utimeSync when operating on an opened file stream resource under --deny-write restrictions. A local user can open a file with read-only permissions and invoke these methods to bypass the write permission model and modify file timestamps.

The issue occurs even when the file is opened with read set to true and write set to false.


3) Improper privilege management (CVE-ID: CVE-2025-61786)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper privilege management in Deno.FsFile.prototype.stat and Deno.FsFile.prototype.statSync when retrieving file metadata from an opened file handle. A local user can open a file with write-only flags and call the stat APIs to disclose sensitive information.

The issue occurs when the script is executed with --deny-read=./, allowing file metadata to be retrieved even though direct read access is denied.


Remediation

Install update from vendor's website.

References