CVE-2026-49402

CVE-2026-49402 is a high-severity OS command injection vulnerability in deno (rust), affecting versions < 2.7.10. It is fixed in 2.7.10.

Summary

Deno's node:child_process implementation provided an escapeShellArg() helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.exe metacharacters such as &, |, <, >, ^, !, (, ), and did not neutralize % (which cmd.exe expands even inside double-quoted strings). An attacker who controlled any portion of an argument passed to such a call could inject arbitrary additional commands into the spawned cmd.exe invocation.

This was the Windows counterpart to CVE-2026-27190, which fixed the same class of bug in the Unix branch of escapeShellArg.

Details

On Windows, child_process with shell: true ran the command via cmd.exe /d /s /c "<command line>". Deno assembled that command line by joining the program name and each argument through escapeShellArg().

The vulnerable check was:

// If no special characters, return as-is
if (!/[\s"\\]/.test(arg)) {
  return arg;
}

The regex covered only whitespace, double-quote, and backslash. Any argument containing cmd.exe-significant characters but none of those three was returned unquoted and therefore interpreted by the shell. The most straightforward exploit chained commands with &:

import { spawnSync } from "node:child_process";

spawnSync("echo", ["test&calc.exe"], { shell: true, encoding: "utf-8" });

The reporter confirmed this launched calc.exe on Windows 11 with Deno 2.7.5. The same shape worked for |, <, >, ^, !, (, and ).

A secondary defect existed even when arguments were quoted: cmd.exe expands %FOO% environment-variable references inside double-quoted strings. Without either doubling % or rejecting it, an argument like "%USERPROFILE%" leaked environment data into the command line.

Proof of concept

From the report, run on Windows with Deno < 2.7.10:

import { spawnSync } from "node:child_process";

const maliciousInput = "test&calc.exe";
const result = spawnSync("echo", [maliciousInput], {
  shell: true,
  encoding: "utf-8",
});
console.log(result);

Observed: calc.exe launched as a side effect of the echo call.

Workarounds

Users on unpatched versions could mitigate by:

  • Avoiding shell: true in node:child_process calls on Windows.
  • Building the argv directly and invoking the program without a shell.
  • Filtering or rejecting any externally-supplied argument values that contained cmd.exe metacharacters (& | < > ^ ! ( ) %) before passing them to spawn / spawnSync / exec.

Impact

Any Deno program on Windows that called child_process.spawn / spawnSync / exec (or any shell helper that funneled through escapeShellArg) with shell: true and incorporated untrusted input into an argument was exposed to arbitrary command execution in the context of the Deno process. The CVSS vector treated this as network-reachable / high-complexity because the typical exposure path was a Deno service accepting external input and forwarding it to a shelled-out subprocess.

Not affected:

  • Calls without shell: true (the default), which executed the program directly via CreateProcess without cmd.exe interpretation.
  • Unix platforms, which used the single-quote branch of escapeShellArg and were already fixed under CVE-2026-27190.
  • Callers that built command strings themselves and passed them as a single string with shell: true, those were the caller's responsibility and were never sanitized by Deno.

Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.

CVE-2026-49402 has a CVSS score of 8.1 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.7.10); upgrading removes the vulnerable code path.

Affected versions

deno (< 2.7.10)

Security releases

deno → 2.7.10 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade deno to 2.7.10 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-49402? CVE-2026-49402 is a high-severity OS command injection vulnerability in deno (rust), affecting versions < 2.7.10. It is fixed in 2.7.10. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
  2. How severe is CVE-2026-49402? CVE-2026-49402 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of deno are affected by CVE-2026-49402? deno (rust) versions < 2.7.10 is affected.
  4. Is there a fix for CVE-2026-49402? Yes. CVE-2026-49402 is fixed in 2.7.10. Upgrade to this version or later.
  5. Is CVE-2026-49402 exploitable, and should I be worried? Whether CVE-2026-49402 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-49402 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-49402? Upgrade deno to 2.7.10 or later.

Other vulnerabilities in deno

CVE-2026-55517CVE-2026-49401CVE-2026-49406CVE-2026-49411CVE-2026-49440

Stop the waste.
Protect your environment with Kodem.