Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in a way that assumed their bytes were always printable ASCII. A response header containing non-visible-ASCII bytes (0x80-0xFF) caused a panic that aborted the entire Deno process. This vulnerability is fixed in 2.7.5.
Published: 2026-06-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Applications built with the Deno JavaScript, TypeScript, and WebAssembly runtime may crash when a client WebSocket connection receives a handshake response whose Sec-WebSocket-Protocol or Sec-WebSocket-Extensions headers contain non-visible-ASCII bytes (0x80-0xFF). Prior to version 2.7.5, Deno parsed these headers assuming all bytes were printable ASCII; the presence of non-ASCII data triggers a crash that results in a denial, but does not grant code execution or data disclosure. This vulnerability is an instance of CWE‑248.

Affected Systems

The vulnerability affects the denoland:deno product; any Deno runtime version earlier than 2.7.5 that establishes a WebSocket client connection is at risk. Applications running those releases that connect to untrusted WebSocket servers may be impacted.

Risk and Exploitability

The CVSS score of 4.3 classifies the issue as low severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread exploitation. The attack vector is remote—an attacker can trigger the crash by sending a crafted WebSocket handshake response from a malicious server. Because the issue only causes a local crash of the process, it does not lead to code execution or data exposure, but it can disrupt application availability.

Generated by OpenCVE AI on June 24, 2026 at 10:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Deno to version 2.7.5 or later to apply the fix
  • Avoid establishing WebSocket connections with untrusted servers if upgrading is not immediately possible
  • Configure a health check or process supervisor to detect and automatically restart, limiting downtime

Generated by OpenCVE AI on June 24, 2026 at 10:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x2qc-cmh9-f4hf Deno: Denial of service via non-ASCII bytes in WebSocket response headers
History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Deno
Deno deno
Vendors & Products Deno
Deno deno

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in a way that assumed their bytes were always printable ASCII. A response header containing non-visible-ASCII bytes (0x80-0xFF) caused a panic that aborted the entire Deno process. This vulnerability is fixed in 2.7.5.
Title Deno: Denial of service via non-ASCII bytes in WebSocket response headers
Weaknesses CWE-248
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T17:52:56.960Z

Reserved: 2026-06-16T22:44:22.284Z

Link: CVE-2026-55517

cve-icon Vulnrichment

Updated: 2026-06-23T17:52:20.336Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses