CVE-2026-32260

描述

## Summary A command injection vulnerability exists in Deno's `node:child_process` polyfill (`shell: true` mode) that bypasses the fix for CVE-2026-27190 (GHSA-hmh4-3xvx-q5hr). An attacker who controls arguments passed to `spawnSync` or `spawn` with `shell: true` can execute arbitrary OS commands, bypassing Deno's permission system. **Affected versions:** Deno v2.7.0, v2.7.1 ## Details The two-stage argument sanitization in `transformDenoShellCommand` (`ext/node/polyfills/internal/child_process.ts`) has a priority bug: when an argument contains a `$VAR` pattern, it is wrapped in double quotes (L1290) instead of single quotes (L1293). Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. Attack chain: 1. `escapeShellArg` wraps the argument in single quotes (safe) 2. `op_node_parse_shell_args` strips the single-quote delimiters during tokenization (raw argument exposed) 3. Re-quoting detects `$VAR` pattern → applies double quotes 4. Backtick payload inside double quotes executes via `/bin/sh` ## Impact **OS Command Injection (CWE-78)**. Any application using `node:child_process` `spawn`/`spawnSync` with `shell: true` and user-controlled arguments is vulnerable. Injected commands execute at the OS process level, outside Deno's permission sandbox. Only `--allow-run` is required. ## Mitigation Avoid passing user-controlled input as arguments to `spawn`/`spawnSync` with `shell: true`. Use `shell: false` (the default) instead, or validate/sanitize inputs before passing them.

受影響套件(1)

• crates.io/deno>= 2.7.0, < 2.7.2

CVSS 分數

參考連結(3)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32260
• PATCHhttps://github.com/denoland/deno
• WEBhttps://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j