Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.
Published: 2026-01-15
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Infinite encryption and potential key exposure
Action: Patch
AI Analysis

Impact

Before the 2.6.0 release, the node:crypto module in Deno fails to finalize cipher operations, permitting an attacker to perform an unlimited number of encryptions. This flaw can enable brute‑force attacks or more sophisticated attempts to discover server secrets, representing a serious threat to confidentiality and potentially leading to denial of service due to uncontrolled resource consumption.

Affected Systems

All releases of denoland/deno prior to the 2.6.0 tag are vulnerable because the node:crypto module is included in those versions. The official fix is integrated into the 2.6.0 release, which can be obtained from the Deno GitHub releases page and the associated security advisory.

Risk and Exploitability

The CVSS score of 9.2 signifies high severity, but the EPSS score of less than 1% indicates that exploitation likelihood is currently very low. The vulnerability is not listed in CISA's KEV catalog, suggesting no known production exploitation yet. The flaw can be exploited via the node:crypto API; the likely attack vector involves an attacker provoking repeated encryptions through accessible interfaces or untrusted code paths, thereby exhausting resources or enabling brute‑force analysis of cryptographic key material.

Generated by OpenCVE AI on April 18, 2026 at 19:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Deno 2.6.0 or newer
  • Restrict usage of node:crypto to trusted code paths only
  • Implement rate limiting on encryption endpoints to mitigate brute‑force attempts

Generated by OpenCVE AI on April 18, 2026 at 19:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5379-f5hf-w38v Deno node:crypto doesn't finalize cipher
History

Wed, 21 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:deno:deno:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 16 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Deno
Deno deno
Vendors & Products Deno
Deno deno

Thu, 15 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.
Title Deno node:crypto doesn't finalize cipher
Weaknesses CWE-325
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Deno Deno
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T17:16:41.355Z

Reserved: 2026-01-12T16:20:16.746Z

Link: CVE-2026-22863

cve-icon Vulnrichment

Updated: 2026-01-16T17:16:31.539Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T23:15:51.767

Modified: 2026-01-21T14:35:52.730

Link: CVE-2026-22863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses