CVE-2026-32260

Summary

  A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix

  for CVE-2026-27190 (GHSA-hmh4-3xvx-q5hr). An attacker who controls arguments passed to spawnSync or spawn with `shell:

  true` can execute arbitrary OS commands, bypassing Deno's permission system.

  Affected versions: Deno v2.7.0, v2.7.1

  ## Details

  The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a

  priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes

  (L1293). Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute.

  Attack chain:

1. escapeShellArg wraps the argument in single quotes (safe)
2. opnodeparseshellargs strips the single-quote delimiters during tokenization (raw argument exposed)
3. Re-quoting detects $VAR pattern → applies double quotes
4. Backtick payload inside double quotes executes via /bin/sh

  ## Impact

  OS Command Injection (CWE-78). Any application using node:child_process spawn/spawnSync with shell: true and

  user-controlled arguments is vulnerable. Injected commands execute at the OS process level, outside Deno's permission

  sandbox. Only --allow-run is required.

  ## Mitigation

  Avoid passing user-controlled input as arguments to spawn/spawnSync with shell: true. Use shell: false (the default)

  instead, or validate/sanitize inputs before passing them.