by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
15 packages
- speech-denoiser
- openimagedenoise
- terraform-providers.deno
- python312Packages.denonavr
- python313Packages.denonavr
- haskellPackages.pandoc-sidenote
- terraform-providers.denoland_deno
- gnomeExtensions.denon-avr-controler
- python312Packages.bnunicodenormalizer
- python313Packages.bnunicodenormalizer
- python314Packages.bnunicodenormalizer
- vscode-extensions.denoland.vscode-deno
- home-assistant-component-tests.denonavr
- tests.home-assistant-component-tests.denonavr
- gnomeExtensions.marantz-and-denon-avr-controller
- @LeSuisse accepted
- @LeSuisse published on GitHub
Command Injection via incomplete shell metacharacter blocklist in node:child_process (bypass of CVE-2026-27190 fix)
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.
References
-
https://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j x_refsource_CONFIRM
Affected products
- ==>= 2.7.0, < 2.7.2
Matching in nixpkgs
Ignored packages (15)
pkgs.speech-denoiser
Speech denoise lv2 plugin based on RNNoise library
-
nixos-unstable 0-unstable-2018-10-08
- nixpkgs-unstable 0-unstable-2018-10-08
- nixos-unstable-small 0-unstable-2018-10-08
-
nixos-25.11 0-unstable-2018-10-08
- nixos-25.11-small 0-unstable-2018-10-08
- nixpkgs-25.11-darwin 0-unstable-2018-10-08
pkgs.openimagedenoise
High-Performance Denoising Library for Ray Tracing
pkgs.terraform-providers.deno
None
pkgs.python312Packages.denonavr
Automation Library for Denon AVR receivers
pkgs.python313Packages.denonavr
Automation Library for Denon AVR receivers
pkgs.haskellPackages.pandoc-sidenote
Convert Pandoc Markdown-style footnotes into sidenotes
pkgs.terraform-providers.denoland_deno
None
pkgs.gnomeExtensions.denon-avr-controler
Denon AVR controler
pkgs.python312Packages.bnunicodenormalizer
Bangla Unicode Normalization Toolkit
pkgs.python313Packages.bnunicodenormalizer
Bangla Unicode Normalization Toolkit
pkgs.python314Packages.bnunicodenormalizer
Bangla Unicode Normalization Toolkit
pkgs.vscode-extensions.denoland.vscode-deno
Language server client for Deno
pkgs.home-assistant-component-tests.denonavr
Open source home automation that puts local control and privacy first
pkgs.tests.home-assistant-component-tests.denonavr
Open source home automation that puts local control and privacy first
pkgs.gnomeExtensions.marantz-and-denon-avr-controller
Control your Marantz or Denon AVR from GNOME Shell.
Package maintainers
-
@ofalvai Olivér Falvai <ofalvai@gmail.com>
-
@06kellyjac Jack <hello+nixpkgs@j-k.io>