CVE-2025-61787

HighPublic PoCRCE

Published: 08 October 2025

Published

08 October 2025

Modified

16 October 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61787 is a high-severity Command Injection (CWE-77) vulnerability in Deno Deno. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of flaws, directly addressing the need to patch vulnerable Deno versions prior to 2.5.3 or 2.2.15 to eliminate the command injection vulnerability.

SI-10 Information Input Validation good match

prevent

Requires validation of information inputs at system entry points, preventing command injection attacks by sanitizing inputs used in Deno batch file executions on Windows.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Provides vulnerability scanning to identify systems running vulnerable Deno versions affected by the Windows-specific command injection issue, enabling proactive remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.003 Windows Command Shell Execution

Adversaries may abuse the Windows command shell for execution.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote exploitation of a public-facing Deno application (T1190) leading to command injection and arbitrary execution via Windows Command Shell (cmd.exe, T1059.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, ``CreateProcess()`` always implicitly spawns ``cmd.exe`` if a batch file (.bat,…

.cmd, etc.) is being executed even if the application does not specify it via the command line. This makes Deno vulnerable to a command injection attack on Windows. Versions 2.5.3 and 2.2.15 fix the issue.

Deeper analysisAI

CVE-2025-61787 is a command line injection vulnerability (CWE-77) affecting Deno, a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable on Windows systems specifically when batch files (.bat, .cmd, etc.) are executed. The issue stems from the Windows CreateProcess() API, which implicitly spawns cmd.exe for batch file execution regardless of whether the application specifies it, enabling command injection attacks in Deno. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Attackers can exploit this vulnerability remotely over the network without privileges or user interaction, though it requires high attack complexity. Exploitation occurs when Deno processes a maliciously crafted batch file, allowing injection of arbitrary commands via cmd.exe. Successful attacks can result in high-impact confidentiality, integrity, and availability violations, potentially enabling full system compromise on affected Windows hosts running vulnerable Deno versions.

Deno advisories and release notes recommend upgrading to version 2.5.3 or 2.2.15, which address the issue through targeted fixes documented in the associated GitHub commit, pull request, and security advisory. No additional workarounds are specified beyond applying these patches.

Details

CWE(s): CWE-77

Affected Products

deno

≤ 2.2.15 · 2.3.0 — 2.5.3

CVEs Like This One

CVE-2026-22864Same product: Deno Deno

CVE-2026-32194Same vendor: Microsoft

CVE-2026-32260Same product: Deno Deno

CVE-2026-20841Same vendor: Microsoft

CVE-2026-22863Same product: Deno Deno

CVE-2025-55227Same vendor: Microsoft

CVE-2026-27190Same product: Deno Deno

CVE-2025-59252Same vendor: Microsoft

CVE-2026-32183Same vendor: Microsoft

CVE-2025-59272Same vendor: Microsoft

References

https://github.com/denoland/deno/commit/8a0990ccd37bafd8768176ca64b906ba2da2d822
Patch · security-advisories@github.com
https://github.com/denoland/deno/pull/30818
Issue Tracking, Patch · security-advisories@github.com
https://github.com/denoland/deno/releases/tag/v2.2.15
Release Notes · security-advisories@github.com
https://github.com/denoland/deno/releases/tag/v2.5.3
Release Notes · security-advisories@github.com
https://github.com/denoland/deno/security/advisories/GHSA-m2gf-x3f6-8hq3
Exploit, Vendor Advisory · security-advisories@github.com