Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Network-delivered crash requiring victim to initiate the connection (UI:R); attacker needs no victim-system privileges (PR:N); only the connecting Deno process terminates (A:L), no data exposed.
Primary rating from Vendor (https://github.com/denoland/deno).
CVSS VectorVendor: https://github.com/denoland/deno
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Summary
A Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in a way that assumed their bytes were always printable ASCII. A response header containing non-visible-ASCII bytes (0x80-0xFF) caused a panic that aborted the entire Deno process.
Details
When establishing a client WebSocket connection, Deno read the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions headers from the server's 101 Switching Protocols response and converted them to strings without handling the failure case. HeaderValue::to_str() returns an error for any value containing bytes outside the visible-ASCII range, so a header carrying such bytes triggered an unrecoverable error during conversion.
Because the client initiates the outbound connection, the handshake response is fully controlled by the server. A server that returns bytes such as 0xFF 0xFE in either header could therefore crash any client that connected to it.
This is purely an availability issue. There is no information disclosure and no memory-safety impact; the only effect is termination of the current process.
Impact
Remote denial of service. Any Deno application that establishes WebSocket connections to untrusted or potentially-compromised endpoints could be terminated by the remote peer. Exploitation requires the victim application to initiate the outbound WebSocket connection. An attacker who controls the WebSocket endpoint, or who can man-in-the-middle a plaintext ws:// connection, could trigger the crash. The effect is confined to crashing the process that opened the connection.
Patch
The issue is fixed in Deno 2.7.5. The header values are now parsed with graceful fallbacks: values that cannot be represented as ASCII strings are skipped instead of aborting the process. A regression test covers a server that returns non-ASCII bytes in Sec-WebSocket-Protocol.
Users should upgrade to Deno 2.7.5 or later.
Workarounds
Until you can upgrade, only connect to trusted WebSocket endpoints and prefer wss:// (TLS) over ws://, which prevents a network man-in-the-middle from injecting malicious header bytes into the handshake response.
AnalysisAI
Process-terminating denial of service in Deno's WebSocket client (versions <= 2.7.4) allows any server - or a network man-in-the-middle on an unencrypted ws:// connection - to crash a Deno application by returning non-visible-ASCII bytes (0x80-0xFF) in the Sec-WebSocket-Protocol or Sec-WebSocket-Extensions handshake response headers. The root cause is an unhandled Rust panic in the HTTP upgrade path: HeaderValue::to_str() returns an error for out-of-range bytes, and that error path was not caught, causing the entire Deno process to abort. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the vulnerable Deno application (version <= 2.7.4) initiates an outbound WebSocket connection - the attack cannot be triggered by passive network presence alone; the client must connect first. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L is well-calibrated: the attack is network-reachable, requires no credentials on the victim system, and has low complexity, but the victim process must initiate the connection (UI:R) and impact is limited to process termination (A:L) with no confidentiality or integrity exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who operates a WebSocket server - or who can intercept a plaintext ws:// connection through ARP spoofing or DNS manipulation - responds to the Deno client's upgrade request with a crafted 101 Switching Protocols response that includes a Sec-WebSocket-Protocol header value containing bytes such as 0xFF 0xFE. The Deno runtime's HeaderValue::to_str() call fails on this input, the unhandled error causes a Rust panic, and the entire Deno process terminates instantly. … |
| Remediation | Upgrade to Deno 2.7.5 or later; this is the vendor-released patch confirmed by the GitHub advisory GHSA-x2qc-cmh9-f4hf. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-248 – Uncaught Exception
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: ModerateShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38549
GHSA-x2qc-cmh9-f4hf