A command injection vulnerability exists in Deno's node:child_process polyfill that bypasses a previous CVE fix. The vulnerability affects Deno versions 2.7.0 to 2.7.1 in shell mode. A priority bug in argument sanitization causes arguments with $VAR patterns to be wrapped in double quotes instead of single quotes. This allows backtick command substitution to execute, enabling arbitrary OS command execution. Attackers can bypass Deno's permission system by controlling arguments passed to spawnSync or spawn with shell: true. The vulnerability is fixed in version 2.7.2.