Nixpkgs security tracker

Permalink CVE-2026-22864

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 2 months, 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 2 months, 3 weeks ago
@LeSuisse removed package speech-denoiser 2 months, 3 weeks ago
@LeSuisse removed package openimagedenoise 2 months, 3 weeks ago
@LeSuisse removed package terraform-providers.deno 2 months, 3 weeks ago
@LeSuisse removed package python312Packages.denonavr 2 months, 3 weeks ago
@LeSuisse removed package python313Packages.denonavr 2 months, 3 weeks ago
@LeSuisse removed package haskellPackages.pandoc-sidenote 2 months, 3 weeks ago
@LeSuisse removed package terraform-providers.denoland_deno 2 months, 3 weeks ago
@LeSuisse removed package gnomeExtensions.denon-avr-controler 2 months, 3 weeks ago
@LeSuisse removed package python312Packages.bnunicodenormalizer 2 months, 3 weeks ago
@LeSuisse removed package python313Packages.bnunicodenormalizer 2 months, 3 weeks ago
@LeSuisse removed package vscode-extensions.denoland.vscode-deno 2 months, 3 weeks ago
@LeSuisse removed package home-assistant-component-tests.denonavr 2 months, 3 weeks ago
@LeSuisse dismissed 2 months, 3 weeks ago

Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

References

https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6 x_refsource_CONFIRM
https://github.com/denoland/deno/releases/tag/v2.5.6 x_refsource_MISC
https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6 x_refsource_CONFIRM
https://github.com/denoland/deno/releases/tag/v2.5.6 x_refsource_MISC

Affected products

deno

==< 2.5.6

Matching in nixpkgs

pkgs.deno

Secure runtime for JavaScript and TypeScript

nixos-unstable 2.5.6
- nixpkgs-unstable 2.5.6
- nixos-unstable-small 2.5.6

Package maintainers

@ofalvai Olivér Falvai <ofalvai@gmail.com>
@06kellyjac Jack <hello+nixpkgs@j-k.io>

No Windows support

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.deno

Package maintainers