CVE-2026-22864 – This vulnerability allows attackers to bypass D... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to bypass Deno's security restrictions on Windows by using case variations in file extensions (.BAT, .Bat instead of .bat). Attackers could execute arbitrary batch files they shouldn't have access to. This affects all Deno users on Windows systems running versions before 2.5.6.

💻 Affected Systems

Products:

Deno

Versions: All versions before 2.5.6

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows systems due to case-insensitive file system behavior. Linux/macOS unaffected.

📦 What is this software?

Deno by Deno

View all CVEs affecting Deno →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if an attacker can upload or control batch files with alternate casing.

🟠

Likely Case

Local privilege escalation or execution of unauthorized batch scripts within Deno's security context.

🟢

If Mitigated

No impact if proper file permissions and input validation prevent unauthorized file execution.

🌐 Internet-Facing: MEDIUM - Requires ability to influence file paths or extensions being spawned by Deno applications.

🏢 Internal Only: MEDIUM - Internal applications using Deno to spawn processes could be vulnerable to privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple case variation bypass.

Exploitation requires ability to control or influence file paths being spawned by Deno applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.6

Vendor Advisory: https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6

Restart Required: Yes

Instructions:

1. Update Deno using: deno upgrade --version 2.5.6
2. Restart all Deno processes and applications
3. Verify update with: deno --version

🔧 Temporary Workarounds

Input validation for file extensions

windows

Implement case-insensitive validation for file extensions before spawning processes

// In Deno code: validate extension with .toLowerCase() before spawn

Restrict file permissions

windows

Ensure batch files in Deno-accessible directories have restricted permissions

icacls *.bat /deny Everyone:(R,X)
icacls *.cmd /deny Everyone:(R,X)

🧯 If You Can't Patch

Implement strict input validation for all file paths used in spawn operations
Use application allowlisting to restrict which files Deno can execute

🔍 How to Verify

Check if Vulnerable:

Check Deno version: deno --version. If version is less than 2.5.6, system is vulnerable.

Check Version:

deno --version

Verify Fix Applied:

Run: deno --version. Confirm output shows 2.5.6 or higher.

📡 Detection & Monitoring

Log Indicators:

Deno spawn operations with .BAT, .Bat, .CMD, .Cmd extensions
Unexpected batch file execution from Deno processes

Network Indicators:

Unusual outbound connections from Deno processes post-batch execution

SIEM Query:

process_name:deno.exe AND (cmdline:*\.BAT OR cmdline:*\.Bat OR cmdline:*\.CMD OR cmdline:*\.Cmd)

📊 Metadata

CVE ID: CVE-2026-22864

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.06% exploit probability (19.1th percentile)

Published: January 15, 2026

Last Updated: January 21, 2026

🔗 References

https://github.com/denoland/deno/releases/tag/v2.5.6 Release Notes
https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22864, you might also want to check these: