Impact
Applications built with the Deno JavaScript, TypeScript, and WebAssembly runtime may crash when a client WebSocket connection receives a handshake response whose Sec-WebSocket-Protocol or Sec-WebSocket-Extensions headers contain non-visible-ASCII bytes (0x80-0xFF). Prior to version 2.7.5, Deno parsed these headers assuming all bytes were printable ASCII; the presence of non-ASCII data triggers a crash that results in a denial, but does not grant code execution or data disclosure. This vulnerability is an instance of CWE‑248.
Affected Systems
The vulnerability affects the denoland:deno product; any Deno runtime version earlier than 2.7.5 that establishes a WebSocket client connection is at risk. Applications running those releases that connect to untrusted WebSocket servers may be impacted.
Risk and Exploitability
The CVSS score of 4.3 classifies the issue as low severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread exploitation. The attack vector is remote—an attacker can trigger the crash by sending a crafted WebSocket handshake response from a malicious server. Because the issue only causes a local crash of the process, it does not lead to code execution or data exposure, but it can disrupt application availability.
OpenCVE Enrichment
Github GHSA