Nixpkgs security tracker

Login with GitHub

Suggestion detail

Dismissed
Permalink CVE-2026-22864
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 3 weeks ago
  • @LeSuisse removed package speech-denoiser 2 months, 3 weeks ago
  • @LeSuisse removed package openimagedenoise 2 months, 3 weeks ago
  • @LeSuisse removed package terraform-providers.deno 2 months, 3 weeks ago
  • @LeSuisse removed package python312Packages.denonavr 2 months, 3 weeks ago
  • @LeSuisse removed package python313Packages.denonavr 2 months, 3 weeks ago
  • @LeSuisse removed package haskellPackages.pandoc-sidenote 2 months, 3 weeks ago
  • @LeSuisse removed package terraform-providers.denoland_deno 2 months, 3 weeks ago
  • @LeSuisse removed package gnomeExtensions.denon-avr-controler 2 months, 3 weeks ago
  • @LeSuisse removed package python312Packages.bnunicodenormalizer 2 months, 3 weeks ago
  • @LeSuisse removed package python313Packages.bnunicodenormalizer 2 months, 3 weeks ago
  • @LeSuisse removed package vscode-extensions.denoland.vscode-deno 2 months, 3 weeks ago
  • @LeSuisse removed package home-assistant-component-tests.denonavr 2 months, 3 weeks ago
  • @LeSuisse dismissed 2 months, 3 weeks ago
Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

Affected products

deno
  • ==< 2.5.6

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

Package maintainers

No Windows support