CVE-2026-22863 | THREATINT

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.

PUBLISHED Reserved 2026-01-12 | Published 2026-01-15 | Updated 2026-01-16 | Assigner GitHub_M

CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Problem types

CWE-325: Missing Cryptographic Step

Product status

< 2.6.0

affected

References

github.com/...d/deno/security/advisories/GHSA-5379-f5hf-w38v

github.com/denoland/deno/releases/tag/v2.6.0

cve.org (CVE-2026-22863)

nvd.nist.gov (CVE-2026-22863)

Download JSON