Vulnerability-Lookup

CVE-2026-55517 (GCVE-0-2026-55517)

Vulnerability from cvelistv5 – Published: 2026-06-23 17:24 – Updated: 2026-06-23 17:52

Title

Deno: Denial of service via non-ASCII bytes in WebSocket response headers

Summary

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in a way that assumed their bytes were always printable ASCII. A response header containing non-visible-ASCII bytes (0x80-0xFF) caused a panic that aborted the entire Deno process. This vulnerability is fixed in 2.7.5.

Severity

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-248 - Uncaught Exception

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/denoland/deno/security/advisor…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
denoland	deno	Affected: < 2.7.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55517",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T17:52:15.311461Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T17:52:56.960Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "deno",
          "vendor": "denoland",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.7.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in a way that assumed their bytes were always printable ASCII. A response header containing non-visible-ASCII bytes (0x80-0xFF) caused a panic that aborted the entire Deno process. This vulnerability is fixed in 2.7.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T17:24:59.498Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/denoland/deno/security/advisories/GHSA-x2qc-cmh9-f4hf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/denoland/deno/security/advisories/GHSA-x2qc-cmh9-f4hf"
        }
      ],
      "source": {
        "advisory": "GHSA-x2qc-cmh9-f4hf",
        "discovery": "UNKNOWN"
      },
      "title": "Deno: Denial of service via non-ASCII bytes in WebSocket response headers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-55517",
    "datePublished": "2026-06-23T17:24:59.498Z",
    "dateReserved": "2026-06-16T22:44:22.284Z",
    "dateUpdated": "2026-06-23T17:52:56.960Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-55517\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-23T17:52:15.311461Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-23T17:52:20.336Z\"}}], \"cna\": {\"title\": \"Deno: Denial of service via non-ASCII bytes in WebSocket response headers\", \"source\": {\"advisory\": \"GHSA-x2qc-cmh9-f4hf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"denoland\", \"product\": \"deno\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.7.5\"}]}], \"references\": [{\"url\": \"https://github.com/denoland/deno/security/advisories/GHSA-x2qc-cmh9-f4hf\", \"name\": \"https://github.com/denoland/deno/security/advisories/GHSA-x2qc-cmh9-f4hf\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in a way that assumed their bytes were always printable ASCII. A response header containing non-visible-ASCII bytes (0x80-0xFF) caused a panic that aborted the entire Deno process. This vulnerability is fixed in 2.7.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-248\", \"description\": \"CWE-248: Uncaught Exception\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-23T17:24:59.498Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-55517\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-23T17:52:56.960Z\", \"dateReserved\": \"2026-06-16T22:44:22.284Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-23T17:24:59.498Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-X2QC-CMH9-F4HF

Vulnerability from github – Published: 2026-06-17 18:48 – Updated: 2026-06-17 18:48

Summary

Deno: Denial of service via non-ASCII bytes in WebSocket response headers

Details

Summary

A Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in a way that assumed their bytes were always printable ASCII. A response header containing non-visible-ASCII bytes (0x80-0xFF) caused a panic that aborted the entire Deno process.

Details

When establishing a client WebSocket connection, Deno read the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions headers from the server's 101 Switching Protocols response and converted them to strings without handling the failure case. HeaderValue::to_str() returns an error for any value containing bytes outside the visible-ASCII range, so a header carrying such bytes triggered an unrecoverable error during conversion.

Because the client initiates the outbound connection, the handshake response is fully controlled by the server. A server that returns bytes such as 0xFF 0xFE in either header could therefore crash any client that connected to it.

This is purely an availability issue. There is no information disclosure and no memory-safety impact; the only effect is termination of the current process.

Impact

Remote denial of service. Any Deno application that establishes WebSocket connections to untrusted or potentially-compromised endpoints could be terminated by the remote peer. Exploitation requires the victim application to initiate the outbound WebSocket connection. An attacker who controls the WebSocket endpoint, or who can man-in-the-middle a plaintext ws:// connection, could trigger the crash. The effect is confined to crashing the process that opened the connection.

Patch

The issue is fixed in Deno 2.7.5. The header values are now parsed with graceful fallbacks: values that cannot be represented as ASCII strings are skipped instead of aborting the process. A regression test covers a server that returns non-ASCII bytes in Sec-WebSocket-Protocol.

Users should upgrade to Deno 2.7.5 or later.

Workarounds

Until you can upgrade, only connect to trusted WebSocket endpoints and prefer wss:// (TLS) over ws://, which prevents a network man-in-the-middle from injecting malicious header bytes into the handshake response.

Severity

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.7.4"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T18:48:18Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA Deno program that opens a client `WebSocket` connection could be crashed by\nthe remote server. While handling the WebSocket handshake response, Deno parsed\nthe `Sec-WebSocket-Protocol` and `Sec-WebSocket-Extensions` response headers in\na way that assumed their bytes were always printable ASCII. A response header\ncontaining non-visible-ASCII bytes (`0x80`-`0xFF`) caused a panic that aborted\nthe entire Deno process.\n\n## Details\n\nWhen establishing a client WebSocket connection, Deno read the\n`Sec-WebSocket-Protocol` and `Sec-WebSocket-Extensions` headers from the\nserver\u0027s `101 Switching Protocols` response and converted them to strings\nwithout handling the failure case. `HeaderValue::to_str()` returns an error for\nany value containing bytes outside the visible-ASCII range, so a header carrying\nsuch bytes triggered an unrecoverable error during conversion.\n\nBecause the client initiates the outbound connection, the handshake response is\nfully controlled by the server. A server that returns bytes such as `0xFF 0xFE`\nin either header could therefore crash any client that connected to it.\n\nThis is purely an availability issue. There is no information disclosure and no\nmemory-safety impact; the only effect is termination of the current process.\n\n## Impact\n\nRemote denial of service. Any Deno application that establishes WebSocket\nconnections to untrusted or potentially-compromised endpoints could be\nterminated by the remote peer. Exploitation requires the victim application to\ninitiate the outbound WebSocket connection. An attacker who controls the\nWebSocket endpoint, or who can man-in-the-middle a plaintext `ws://` connection,\ncould trigger the crash. The effect is confined to crashing the process that\nopened the connection.\n\n## Patch\n\nThe issue is fixed in Deno `2.7.5`. The header values are now parsed with\ngraceful fallbacks: values that cannot be represented as ASCII strings are\nskipped instead of aborting the process. A regression test covers a server that\nreturns non-ASCII bytes in `Sec-WebSocket-Protocol`.\n\nUsers should upgrade to Deno `2.7.5` or later.\n\n## Workarounds\n\nUntil you can upgrade, only connect to trusted WebSocket endpoints and prefer\n`wss://` (TLS) over `ws://`, which prevents a network man-in-the-middle from\ninjecting malicious header bytes into the handshake response.",
  "id": "GHSA-x2qc-cmh9-f4hf",
  "modified": "2026-06-17T18:48:18Z",
  "published": "2026-06-17T18:48:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-x2qc-cmh9-f4hf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deno: Denial of service via non-ASCII bytes in WebSocket response headers"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-55517 (GCVE-0-2026-55517)

GHSA-X2QC-CMH9-F4HF

Summary

Details

Impact

Patch

Workarounds

Tags

Sightings

Nomenclature