Impact
From version 2.0.0 through 2.7.8, Deno’s Node.js TLS compatibility layer can cause a TLS client to transmit application data in plain text after a connection retry. When autoSelectFamily is enabled and the first address‑family attempt fails, the socket reinitialization path reuses a stale TLS upgrade hook bound to the original failed handle. Consequently, the replacement TCP connection is never upgraded to TLS, and any data the application writes before the secureConnect event travels over the network unencrypted. An attacker able to force the initial connection failure, such as by dropping IPv6 traffic on a dual‑stack host, can deterministically trigger this fallback and observe or tamper with traffic the application assumes is TLS‑protected.
Affected Systems
The vulnerability affects denoland’s Deno runtime for version ranges 2.0.0 through 2.7.8. Users running any of these Deno releases with the autoSelectFamily option enabled are potentially impacted until they upgrade to 2.7.8 or later.
Risk and Exploitability
The CVSS score of 7.4 denotes high severity, and the flaw is exploitable in environments where an attacker can interrupt initial connection attempts, for example by dropping IPv6 traffic or otherwise inducing a failure. Once the fallback is triggered, the attacker can passively observe or modify traffic that is presumed encrypted. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog, but the deterministic nature of the trigger makes it attractive for adversaries with network control. Prompt remediation reduces the risk of data exposure.
OpenCVE Enrichment
Github GHSA