Skip to main content

Deno EUVDEUVD-2026-38549

| CVE-2026-55517 MEDIUM
Uncaught Exception (CWE-248)
2026-06-17 https://github.com/denoland/deno GHSA-x2qc-cmh9-f4hf
4.3
CVSS 3.1 · Vendor: https://github.com/denoland/deno
Share

Severity by source

Vendor (https://github.com/denoland/deno) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
vuln.today AI
4.3 MEDIUM

Network-delivered crash requiring victim to initiate the connection (UI:R); attacker needs no victim-system privileges (PR:N); only the connecting Deno process terminates (A:L), no data exposed.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (https://github.com/denoland/deno).

CVSS VectorVendor: https://github.com/denoland/deno

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 01:56 vuln.today
Analysis Generated
Jun 18, 2026 - 01:56 vuln.today

DescriptionCVE.org

Summary

A Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in a way that assumed their bytes were always printable ASCII. A response header containing non-visible-ASCII bytes (0x80-0xFF) caused a panic that aborted the entire Deno process.

Details

When establishing a client WebSocket connection, Deno read the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions headers from the server's 101 Switching Protocols response and converted them to strings without handling the failure case. HeaderValue::to_str() returns an error for any value containing bytes outside the visible-ASCII range, so a header carrying such bytes triggered an unrecoverable error during conversion.

Because the client initiates the outbound connection, the handshake response is fully controlled by the server. A server that returns bytes such as 0xFF 0xFE in either header could therefore crash any client that connected to it.

This is purely an availability issue. There is no information disclosure and no memory-safety impact; the only effect is termination of the current process.

Impact

Remote denial of service. Any Deno application that establishes WebSocket connections to untrusted or potentially-compromised endpoints could be terminated by the remote peer. Exploitation requires the victim application to initiate the outbound WebSocket connection. An attacker who controls the WebSocket endpoint, or who can man-in-the-middle a plaintext ws:// connection, could trigger the crash. The effect is confined to crashing the process that opened the connection.

Patch

The issue is fixed in Deno 2.7.5. The header values are now parsed with graceful fallbacks: values that cannot be represented as ASCII strings are skipped instead of aborting the process. A regression test covers a server that returns non-ASCII bytes in Sec-WebSocket-Protocol.

Users should upgrade to Deno 2.7.5 or later.

Workarounds

Until you can upgrade, only connect to trusted WebSocket endpoints and prefer wss:// (TLS) over ws://, which prevents a network man-in-the-middle from injecting malicious header bytes into the handshake response.

AnalysisAI

Process-terminating denial of service in Deno's WebSocket client (versions <= 2.7.4) allows any server - or a network man-in-the-middle on an unencrypted ws:// connection - to crash a Deno application by returning non-visible-ASCII bytes (0x80-0xFF) in the Sec-WebSocket-Protocol or Sec-WebSocket-Extensions handshake response headers. The root cause is an unhandled Rust panic in the HTTP upgrade path: HeaderValue::to_str() returns an error for out-of-range bytes, and that error path was not caught, causing the entire Deno process to abort. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker controls or intercepts WebSocket server
Delivery
Deno client initiates outbound WebSocket connection
Exploit
Server returns 101 response with non-ASCII bytes in Sec-WebSocket-Protocol or Sec-WebSocket-Extensions
Execution
HeaderValue::to_str() returns unhandled error
Persist
Rust panic aborts Deno process
Impact
Target application crashes (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires that the vulnerable Deno application (version <= 2.7.4) initiates an outbound WebSocket connection - the attack cannot be triggered by passive network presence alone; the client must connect first. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L is well-calibrated: the attack is network-reachable, requires no credentials on the victim system, and has low complexity, but the victim process must initiate the connection (UI:R) and impact is limited to process termination (A:L) with no confidentiality or integrity exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who operates a WebSocket server - or who can intercept a plaintext ws:// connection through ARP spoofing or DNS manipulation - responds to the Deno client's upgrade request with a crafted 101 Switching Protocols response that includes a Sec-WebSocket-Protocol header value containing bytes such as 0xFF 0xFE. The Deno runtime's HeaderValue::to_str() call fails on this input, the unhandled error causes a Rust panic, and the entire Deno process terminates instantly. …
Remediation Upgrade to Deno 2.7.5 or later; this is the vendor-released patch confirmed by the GitHub advisory GHSA-x2qc-cmh9-f4hf. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

EUVD-2026-38549 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy