Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When `autoSelectFamily was enabled and the first address-family attempt failed, the socket reinitialization path reused a stale TLS upgrade hook that was bound to the original, failed handle. As a result, the replacement TCP connection was never upgraded to TLS, and any data the application wrote before the secureConnect event travelled over the network unencrypted. A network attacker positioned to cause the initial connection attempt to fail (for example, by dropping IPv6 traffic on a dual-stack host) could deterministically trigger the fallback path and observe or tamper with traffic that the application believed was TLS-protected. This vulnerability is fixed in 2.7.8.
Published: 2026-06-23
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

From version 2.0.0 through 2.7.8, Deno’s Node.js TLS compatibility layer can cause a TLS client to transmit application data in plain text after a connection retry. When autoSelectFamily is enabled and the first address‑family attempt fails, the socket reinitialization path reuses a stale TLS upgrade hook bound to the original failed handle. Consequently, the replacement TCP connection is never upgraded to TLS, and any data the application writes before the secureConnect event travels over the network unencrypted. An attacker able to force the initial connection failure, such as by dropping IPv6 traffic on a dual‑stack host, can deterministically trigger this fallback and observe or tamper with traffic the application assumes is TLS‑protected.

Affected Systems

The vulnerability affects denoland’s Deno runtime for version ranges 2.0.0 through 2.7.8. Users running any of these Deno releases with the autoSelectFamily option enabled are potentially impacted until they upgrade to 2.7.8 or later.

Risk and Exploitability

The CVSS score of 7.4 denotes high severity, and the flaw is exploitable in environments where an attacker can interrupt initial connection attempts, for example by dropping IPv6 traffic or otherwise inducing a failure. Once the fallback is triggered, the attacker can passively observe or modify traffic that is presumed encrypted. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog, but the deterministic nature of the trigger makes it attractive for adversaries with network control. Prompt remediation reduces the risk of data exposure.

Generated by OpenCVE AI on June 24, 2026 at 10:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Deno to version 2.7.8 or later to patch the TLS upgrade flaw that permits cleartext transmission (CWE-319).
  • If an upgrade cannot be performed immediately, disable the autoSelectFamily option or enforce IPv4 usage to prevent the stale TLS upgrade hook scenario.
  • Consider configuring network policies or firewall rules to block IPv6 traffic to the application, reducing the attacker’s ability to trigger a retry.
  • Ensure that any application code verifies the TLS handshake completes before transmitting sensitive data, thereby avoiding cleartext transmission until secureConnect.

Generated by OpenCVE AI on June 24, 2026 at 10:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-chqv-56wv-7564 Deno's TLS retry copies stale upgrade hook, risking plaintext traffic
History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Deno
Deno deno
Vendors & Products Deno
Deno deno

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When `autoSelectFamily was enabled and the first address-family attempt failed, the socket reinitialization path reused a stale TLS upgrade hook that was bound to the original, failed handle. As a result, the replacement TCP connection was never upgraded to TLS, and any data the application wrote before the secureConnect event travelled over the network unencrypted. A network attacker positioned to cause the initial connection attempt to fail (for example, by dropping IPv6 traffic on a dual-stack host) could deterministically trigger the fallback path and observe or tamper with traffic that the application believed was TLS-protected. This vulnerability is fixed in 2.7.8.
Title Deno: TLS retry copies stale upgrade hook, risking plaintext traffic
Weaknesses CWE-319
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T13:48:50.170Z

Reserved: 2026-05-07T18:04:17.308Z

Link: CVE-2026-44726

cve-icon Vulnrichment

Updated: 2026-06-24T14:24:10.390Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-319

    Cleartext Transmission of Sensitive Information