Critical Deno Flaws Risk Secrets (CVE-2026-22863) & Execution (CVE-2026-22864)

Deno, the modern JavaScript and TypeScript runtime famous for its “secure by default” architecture, has hit a stumbling block with the discovery of two significant security vulnerabilities. The flaws, targeting the runtime’s cryptographic compatibility and its command execution capabilities on Windows, threaten to expose sensitive server secrets and allow arbitrary code execution.

The most severe of the two issues is CVE-2026-22863, a critical vulnerability carrying a CVSS score of 9.2. The flaw resides in Deno’s node:crypto compatibility layer—a module designed to allow Deno to run code originally written for Node.js.

According to the advisory, the node:crypto implementation fails to properly finalize ciphers. In a standard cryptographic operation, the final() method is supposed to conclude the encryption process and clean up the state. However, in vulnerable Deno versions, this method leaves the cipher open, effectively allowing “infinite encryptions”.

The implications are severe. The report notes that this state mismanagement “can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets”. A proof of concept (PoC) provided in the analysis demonstrates that calling cipher.final() results in a Cipheriv object that remains active with internal buffering states still accessible, rather than the expected closed CipherBase object.

The second vulnerability, tracked as CVE-2026-22864, strikes at Deno’s ability to spawn subprocesses on Windows. The analysis details a “Bypass of the patched vulnerability” involving the Deno.Command API when executing batch files.

Deno includes safeguards intended to prevent shell injection attacks when spawning child processes. When a user attempts to run a .bat file directly, Deno typically throws a PermissionDenied error, instructing the developer to “Use a shell to execute bat or cmd files” to ensure arguments are handled safely.

However, researchers discovered a workaround. By manipulating the file extension case—specifically targeting .BAT files—or the arguments passed to the command, attackers can bypass these restrictions. The report includes a screenshot of a PoC where a script successfully executes calc.exe (the Windows Calculator) via argument injection (args: [“&calc.exe”]) inside a batch file execution context, effectively achieving arbitrary code execution on the host machine.

Users are urged to upgrade to Deno v2.6.0 or newer immediately to close these flaws.

Related Posts:

• High-Severity Deno Flaw CVE-2025-61787 Allows Command Injection on Windows
• Critical security vulnerability in the popular runtime, Deno
• Deno Vulnerability Allows Privilege Elevation
• Node.js Misused in Malvertising Campaigns to Deliver Stealthy Malware