Deno is a secure runtime for JavaScript, TypeScript, and WebAssembly that includes a polyfill for Node.js's child_process module. Between versions 2.7.0 and 2.7.1, a critical vulnerability (CVE-2026-32260) was discovered in the polyfill's handling of shell commands when the shell: true option is used. The vulnerability stems from a flawed two-stage sanitization process in the transformDenoShellCommand function, specifically when processing arguments containing environment variable patterns like $VAR. Instead of wrapping these arguments in single quotes, which would prevent shell command substitution, the code wraps them in double quotes. In POSIX-compliant shells, double quotes do not prevent backtick (`) command substitution, allowing an attacker to inject and execute arbitrary commands. This bypasses Deno's permission system, which is designed to restrict unauthorized OS-level operations. The vulnerability is a regression from a previous fix (CVE-2026-27190) and affects all Deno versions from 2.7.0 up to but not including 2.7.2, where the issue was patched. The CVSS v3.1 score is 8.1, indicating high severity, with network attack vector, high attack complexity, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. Although no active exploits have been reported, the vulnerability poses a significant risk to any application or service using the affected Deno versions with shell: true in child_process calls.

This vulnerability allows remote attackers to execute arbitrary OS commands on systems running vulnerable Deno versions without requiring authentication or user interaction. Successful exploitation can lead to full system compromise, including data theft, service disruption, and lateral movement within networks. Since Deno is increasingly used in modern web and server-side applications, the impact spans from individual developers' environments to large-scale cloud deployments. The bypass of Deno's permission system further exacerbates the risk by undermining built-in security controls. Organizations relying on Deno for critical infrastructure or production workloads face potential data breaches, operational outages, and reputational damage if exploited. The high CVSS score reflects the broad impact on confidentiality, integrity, and availability. Given the ease of exploitation once attacker-controlled input reaches the vulnerable API, the threat is significant, especially in environments where untrusted input is passed to child_process with shell: true.

1. Immediate upgrade to Deno version 2.7.2 or later, where the vulnerability is fixed. 2. Audit all codebases and dependencies to identify usage of spawn or spawnSync with shell: true in the child_process polyfill and refactor to avoid shell invocation when possible. 3. Implement strict input validation and sanitization on any arguments passed to these functions, especially those containing environment variable patterns or special shell characters. 4. Employ runtime monitoring and anomaly detection to identify suspicious command execution patterns indicative of exploitation attempts. 5. Restrict permissions and isolate environments running Deno applications to limit potential damage from command injection. 6. Educate developers about the risks of shell: true usage and encourage safer alternatives such as direct command execution without shell interpretation. 7. Review and update security policies to include regular dependency vulnerability scanning and timely patching of runtime environments.