Cyber Resilience

CVE-2026-22864

HighPublic PoCRCE

Published: 15 January 2026

Published
15 January 2026
Modified
21 January 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0062 45.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22864 is a high-severity Command Injection (CWE-77) vulnerability in Deno Deno. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 45.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-22864 is a vulnerability in Deno, a JavaScript, TypeScript, and WebAssembly runtime, affecting versions prior to 2.5.6 on Windows systems. A previous patch intended to prevent spawning of batch or shell files by blocking paths with .bat or .cmd extensions used a case-sensitive comparison against lowercase literals, allowing bypass via alternate casing such as .BAT or .Bat. This issue, classified under CWE-77 (Command Injection), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by remote attackers requiring no privileges or user interaction, though it demands high attack complexity, likely due to crafting a suitable path with mixed-case extensions in Deno's process spawning APIs. Successful exploitation enables spawning arbitrary Windows batch or shell files, resulting in high-impact confidentiality, integrity, and availability violations, potentially leading to full system compromise within the Deno runtime environment.

Mitigation is provided in Deno version 2.5.6, which addresses the case-sensitivity flaw in the extension check. Official advisories recommend upgrading to this version, as detailed in the Deno release notes at https://github.com/denoland/deno/releases/tag/v2.5.6 and the security advisory at https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against…

more

lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

Bypass of .bat/.cmd extension block in Deno spawn APIs directly enables execution of Windows batch/shell files (command injection).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22863Same product: Deno Deno
CVE-2026-27190Same product: Deno Deno
CVE-2026-32260Same product: Deno Deno
CVE-2025-61787Same product: Deno Deno
CVE-2026-20841Shared CWE-77
CVE-2026-32194Shared CWE-77
CVE-2026-32183Shared CWE-77
CVE-2024-57590Shared CWE-77
CVE-2026-21638Shared CWE-77
CVE-2025-64090Shared CWE-77

Affected Assets

deno
deno
≤ 2.5.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and timely patching of flaws like the case-sensitive extension check bypass in Deno prior to version 2.5.6 to prevent command injection.

detect

Provides vulnerability scanning to detect systems running vulnerable Deno versions exploitable via mixed-case batch file extensions.

prevent

Ensures secure configuration settings for runtimes like Deno, including enforcement of patched versions that fix the Windows-specific spawning bypass.

References