CVE-2025-61787 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-61787?

CVE-2025-61787 has a CVSS score of 8.1 (HIGH). This CVE describes a command injection vulnerability in Deno on Windows systems. When Deno executes batch files (.bat, .cmd) on Windows, the underlying CreateProcess() function implicitly spawns cmd.exe, allowing attackers to inject arbitrary commands. This affects Deno users on Windows who execute batch files through Deno's APIs.

📋 TL;DR

This CVE describes a command injection vulnerability in Deno on Windows systems. When Deno executes batch files (.bat, .cmd) on Windows, the underlying CreateProcess() function implicitly spawns cmd.exe, allowing attackers to inject arbitrary commands. This affects Deno users on Windows who execute batch files through Deno's APIs.

💻 Affected Systems

Products:

Deno

Versions: All versions prior to 2.5.3 and 2.2.15

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows systems when executing batch files through Deno APIs. Linux/macOS systems are not vulnerable.

📦 What is this software?

Deno by Deno

View all CVEs affecting Deno →

Deno by Deno

View all CVEs affecting Deno →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with arbitrary command execution as the Deno process user, potentially leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Limited command execution within the Deno process context, potentially allowing file system access, data exfiltration, or lateral movement within the network.

🟢

If Mitigated

No impact if proper input validation and sandboxing are implemented, or if batch file execution is avoided.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to control or influence batch file execution through Deno APIs. The vulnerability is in the Windows CreateProcess() behavior when handling batch files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.3 or 2.2.15

Vendor Advisory: https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3

Restart Required: Yes

Instructions:

1. Check current Deno version with 'deno --version'. 2. Update to Deno 2.5.3 or 2.2.15 using 'deno upgrade --version 2.5.3' or 'deno upgrade --version 2.2.15'. 3. Restart all Deno processes and applications.

🔧 Temporary Workarounds

Avoid batch file execution

windows

Prevent Deno from executing batch files by modifying application code to avoid batch file execution APIs.

Implement input validation

all

Add strict input validation and sanitization for any user-controlled parameters passed to Deno's execution APIs.

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs that could affect batch file execution
Run Deno processes with minimal privileges and in isolated environments/sandboxes

🔍 How to Verify

Check if Vulnerable:

Check if Deno version is below 2.5.3 or 2.2.15 on Windows systems

Check Version:

deno --version

Verify Fix Applied:

Verify Deno version is 2.5.3 or 2.2.15 or higher

📡 Detection & Monitoring

Log Indicators:

Unexpected cmd.exe spawns from Deno processes
Unusual batch file execution patterns
Deno process spawning unexpected child processes

Network Indicators:

Outbound connections from Deno processes to unexpected destinations
Command and control traffic patterns

SIEM Query:

Process creation where parent_process contains 'deno' and process contains 'cmd.exe'

📊 Metadata

CVE ID: CVE-2025-61787

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.17% exploit probability (37.9th percentile)

Published: October 8, 2025

Last Updated: October 16, 2025

🔗 References

https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822 Patch
https://github.com/denoland/deno/pull/30818 Issue Tracking,Patch
https://github.com/denoland/deno/releases/tag/v2.2.15 Release Notes
https://github.com/denoland/deno/releases/tag/v2.5.3 Release Notes
https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61787, you might also want to check these: