CVE 9.2 CRITICAL

Deno node:crypto doesn’t finalize cipher_CVE-2026-22863

January 15, 2026 invoker category_cve

9.2 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.

AI Analysis

The node:crypto module in Deno doesn't finalize cipher, allowing an attacker to have infinite encryptions and potentially brute force or refine attacks to learn server secrets.

Basic Information

ID CVE-2026-22863

Source GitHub_M

Published Jan 15, 2026 at 22:53

Affected Product

Vendor denoland

Product deno

Version < 2.6.0

Affected Versions denoland deno < 2.6.0

CWE Classification

CWE-325

AI Assessment

AI Score 9.2 / 10

AI Severity Critical

Vendor DenoLand

Product Deno

Version < 2.6.0

References

{
    "lastseen": "",
    "description": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.",
    "published": "2026-01-15T22:53:15.357Z",
    "modified": "2026-01-15T22:53:15.357Z",
    "type": "cve",
    "title": "Deno node:crypto doesn't finalize cipher",
    "source": "GitHub_M",
    "references": "https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v\nhttps://github.com/denoland/deno/releases/tag/v2.6.0",
    "id": "CVE-2026-22863",
    "bulletinFamily": "",
    "cwe": [
        "CWE-325"
    ],
    "cvelist": null,
    "sourceData": "denoland deno < 2.6.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.2,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "deno",
    "version": "< 2.6.0",
    "vendor": "denoland",
    "ai_description": "The node:crypto module in Deno doesn't finalize cipher, allowing an attacker to have infinite encryptions and potentially brute force or refine attacks to learn server secrets.",
    "ai_severity": "Critical",
    "ai_vendor": "DenoLand",
    "ai_product": "Deno",
    "ai_version": "< 2.6.0",
    "ai_score": 9.2
}

💭 Join the Security Discussion ❌ Cancel Reply