Nixpkgs security tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: deno

Found 3 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-32260
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 weeks, 6 days ago by @LeSuisse Activity log
  • Created automatic suggestion 3 weeks, 6 days ago
  • @LeSuisse removed package speech-denoiser 3 weeks, 6 days ago
  • @LeSuisse removed package openimagedenoise 3 weeks, 6 days ago
  • @LeSuisse removed package terraform-providers.deno 3 weeks, 6 days ago
  • @LeSuisse removed package python312Packages.denonavr 3 weeks, 6 days ago
  • @LeSuisse removed package python313Packages.denonavr 3 weeks, 6 days ago
  • @LeSuisse removed package haskellPackages.pandoc-sidenote 3 weeks, 6 days ago
  • @LeSuisse removed package terraform-providers.denoland_deno 3 weeks, 6 days ago
  • @LeSuisse removed package gnomeExtensions.denon-avr-controler 3 weeks, 6 days ago
  • @LeSuisse removed package python312Packages.bnunicodenormalizer 3 weeks, 6 days ago
  • @LeSuisse removed package python313Packages.bnunicodenormalizer 3 weeks, 6 days ago
  • @LeSuisse removed package python314Packages.bnunicodenormalizer 3 weeks, 6 days ago
  • @LeSuisse removed package vscode-extensions.denoland.vscode-deno 3 weeks, 6 days ago
  • @LeSuisse removed package home-assistant-component-tests.denonavr 3 weeks, 6 days ago
  • @LeSuisse removed package tests.home-assistant-component-tests.denonavr 3 weeks, 6 days ago
  • @LeSuisse removed package gnomeExtensions.marantz-and-denon-avr-controller 3 weeks, 6 days ago
  • @LeSuisse accepted 3 weeks, 6 days ago
  • @LeSuisse published on GitHub 3 weeks, 6 days ago
Command Injection via incomplete shell metacharacter blocklist in node:child_process (bypass of CVE-2026-27190 fix)

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:child_process polyfill (shell: true mode) that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand (ext/node/polyfills/internal/child_process.ts) has a priority bug: when an argument contains a $VAR pattern, it is wrapped in double quotes (L1290) instead of single quotes. Double quotes in POSIX sh do not suppress backtick command substitution, allowing injected commands to execute. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's permission system. This vulnerability is fixed in 2.7.2.

Affected products

deno
  • ==>= 2.7.0, < 2.7.2

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

Package maintainers

Upstream advisory: https://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j
Permalink CVE-2026-27190
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 2 weeks ago
  • @LeSuisse removed package speech-denoiser 1 month, 2 weeks ago
  • @LeSuisse removed package openimagedenoise 1 month, 2 weeks ago
  • @LeSuisse removed package terraform-providers.deno 1 month, 2 weeks ago
  • @LeSuisse removed package python312Packages.denonavr 1 month, 2 weeks ago
  • @LeSuisse removed package python313Packages.denonavr 1 month, 2 weeks ago
  • @LeSuisse removed package haskellPackages.pandoc-sidenote 1 month, 2 weeks ago
  • @LeSuisse removed package terraform-providers.denoland_deno 1 month, 2 weeks ago
  • @LeSuisse removed package gnomeExtensions.denon-avr-controler 1 month, 2 weeks ago
  • @LeSuisse removed package python312Packages.bnunicodenormalizer 1 month, 2 weeks ago
  • @LeSuisse removed package python313Packages.bnunicodenormalizer 1 month, 2 weeks ago
  • @LeSuisse removed package python314Packages.bnunicodenormalizer 1 month, 2 weeks ago
  • @LeSuisse removed package vscode-extensions.denoland.vscode-deno 1 month, 2 weeks ago
  • @LeSuisse removed package home-assistant-component-tests.denonavr 1 month, 2 weeks ago
  • @LeSuisse removed package tests.home-assistant-component-tests.denonavr 1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.6.8, a command injection vulnerability exists in Deno's node:child_process implementation. This vulnerability is fixed in 2.6.8.

Affected products

deno
  • ==< 2.6.8

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

Package maintainers

Upstream advisory: https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr
Upstream patch: https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c
Permalink CVE-2026-22863
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 3 weeks ago
  • @LeSuisse removed package speech-denoiser 2 months, 3 weeks ago
  • @LeSuisse removed package openimagedenoise 2 months, 3 weeks ago
  • @LeSuisse removed package terraform-providers.deno 2 months, 3 weeks ago
  • @LeSuisse removed package python312Packages.denonavr 2 months, 3 weeks ago
  • @LeSuisse removed package python313Packages.denonavr 2 months, 3 weeks ago
  • @LeSuisse removed package haskellPackages.pandoc-sidenote 2 months, 3 weeks ago
  • @LeSuisse removed package terraform-providers.denoland_deno 2 months, 3 weeks ago
  • @LeSuisse removed package gnomeExtensions.denon-avr-controler 2 months, 3 weeks ago
  • @LeSuisse removed package python312Packages.bnunicodenormalizer 2 months, 3 weeks ago
  • @LeSuisse removed package python313Packages.bnunicodenormalizer 2 months, 3 weeks ago
  • @LeSuisse removed package vscode-extensions.denoland.vscode-deno 2 months, 3 weeks ago
  • @LeSuisse removed package home-assistant-component-tests.denonavr 2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago
Deno node:crypto doesn't finalize cipher

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.

Affected products

deno
  • ==< 2.6.0

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

Package maintainers

Upstream advisory: https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v