{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "2.3.0"
              },
              {
                "fixed": "2.5.3"
              }
            ]
          },
          "events": [
            {
              "introduced": "61574bb9c9c255d5c661add6c7464af30475c197"
            },
            {
              "fixed": "1c3d04cfaf50a4a0db7a1925c0a73af5ea89bc69"
            }
          ],
          "repo": "https://github.com/denoland/deno",
          "type": "GIT"
        },
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "fixed": "2.2.15"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5f6b1329dfd377ff03a389fb32faf73bb966e81d"
            }
          ],
          "repo": "https://github.com/denoland/deno",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-m2gf-x3f6-8hq3"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-77"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/61xxx/CVE-2025-61787.json"
  },
  "details": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, ``CreateProcess()`` always implicitly spawns ``cmd.exe`` if a batch file (.bat, .cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows. Versions 2.5.3 and 2.2.15 fix the issue.",
  "id": "CVE-2025-61787",
  "modified": "2026-04-01T23:08:57.056962006Z",
  "published": "2025-10-08T00:59:17.322Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/releases/tag/v2.2.15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/releases/tag/v2.5.3"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/61xxx/CVE-2025-61787.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61787"
    },
    {
      "type": "FIX",
      "url": "https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822"
    },
    {
      "type": "FIX",
      "url": "https://github.com/denoland/deno/pull/30818"
    }
  ],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deno is Vulnerable to Command Injection on Windows During Batch File Execution"
}