Deno fixes High-severity command injection in node:child_process when using shell:true (CVE-2026-32260)

What happened

A new CVE publication describes a command injection vulnerability in Deno's node:child_process polyfill when invoking spawn() / spawnSync() with shell: true. The issue is explicitly described as a bypass of the earlier fix for CVE-2026-27190.

Who is impacted

• Affected runtime: Deno
• Affected versions: v2.7.0 and v2.7.1 (range: >= 2.7.0, < 2.7.2)
• Condition: applications that pass user-controlled arguments to spawn() / spawnSync() with shell: true.
• Impact: attacker-controlled input can lead to arbitrary OS command execution, and the advisory notes this runs outside Deno's permission sandbox; the described scenario indicates only --allow-run is required.

What to do now

• Upgrade Deno to 2.7.2 (patched).
• If you must run vulnerable versions temporarily:
  • Avoid shell: true (use the default shell: false).
  • Do not pass untrusted input into process-spawn arguments; enforce strict allowlists and/or robust escaping designed for the target shell.
  • Review code paths that call node:child_process from untrusted sources (web requests, job payloads, message queues, CI inputs).

Additional Information

• Root cause (as described): a quoting/sanitization priority bug in transformDenoShellCommand where arguments containing a $VAR pattern can be wrapped in double quotes, which in POSIX sh still allows backtick command substitution, enabling injection.
• Upstream advisory reference: https://github.com/denoland/deno/security/advisories/GHSA-4c96-w8v2-p28j (lists affected versions v2.7.0/v2.7.1 and patched version 2.7.2).