Deno on Windows: How a Capital Letter Broke the Security Model

Amit Schendel

Senior Security Researcher

Jan 16, 2026·6 min read·5 visits

PoC Available

Executive Summary (TL;DR)

Deno tried to stop you from spawning batch files to prevent command injection. But they checked for '.bat', not '.BAT'. Because Windows is case-insensitive and cmd.exe is a parsing nightmare, this allowed attackers to bypass the filter and inject arbitrary shell commands simply by shouting the file extension.

A command injection vulnerability in the Deno runtime on Windows allowing arbitrary code execution via crafted batch file extensions.

Attack Flow Diagram

Official Patches

DenoDeno v2.5.6 Release Notes

Fix Analysis (2)

Technical Appendix

CVSS Score

8.1/ 10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.05%

Top 85% most exploited

Affected Systems

Deno runtime on Windows < 2.5.6

Affected Versions Detail

Product	Affected Versions	Fixed Version
Deno Deno Land	< 2.5.6	2.5.6

Attribute	Detail
CWE ID	CWE-77 (Command Injection)
CVSS v3.1	8.1 (High)
Attack Vector	Network (AV:N)
Impact	Remote Code Execution
Platform	Windows (x64/x86)
Exploit Status	Functional PoC Available

MITRE ATT&CK Mapping

T1059.003Command and Scripting Interpreter: Windows Command Shell

Execution

T1202Indirect Command Execution

Defense Evasion

CWE-77

Command Injection

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Known Exploits & Detection

Internal PoCConstructing a .BAT file and passing shell metacharacters in arguments.

Vulnerability Timeline

Patch Released (v2.5.6)

2025-10-29

CVE Published

2026-01-15