Ddos 
The Deno project has issued a new security advisory warning of a command injection vulnerability on Windows systems, tracked as CVE-2025-61787 and rated CVSS 8.1 (High). The flaw affects Deno versions up to 2.5.1 and could allow attackers to execute arbitrary commands when batch files are spawned under certain conditions.
According to the advisory, “Deno versions up to 2.5.1 are vulnerable to Command Line Injection attacks on Windows when batch files are executed.”
This vulnerability represents a critical issue for developers and production environments using Deno to automate or orchestrate scripts on Windows systems, as it could be exploited to launch malicious commands — even those outside the intended execution context.
The Deno team attributes the vulnerability to a long-standing quirk in Windows process creation, specifically how the CreateProcess() API handles batch files.
The advisory explains, “In Windows, CreateProcess() always implicitly spawns cmd.exe if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line.”
This behavior means that even if developers explicitly invoke a batch file directly through Deno’s process APIs, the Windows subsystem automatically routes the execution through the command interpreter (cmd.exe). This implicit invocation opens the door for command injection, particularly if user-supplied arguments are passed to the script.
The Deno security team provided two proof-of-concept (PoC) examples to demonstrate how the vulnerability can be exploited — one using Node.js’s child_process module and another using Deno.Command.spawn().
The first example leverages Node’s child process module:
The second uses the Deno runtime itself:
Donate