Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-5379-f5hf-w38v: Deno node:crypto doesn't finalize cipher

Summary

The vulnerability allows an attacker to have infinite encryptions.

This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets.

PoC

import crypto from "node:crypto";

const key = crypto.randomBytes(32);
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
cipher.final()

console.log(cipher);

Expected Output

Cipheriv {
  _decoder: null,
  _options: undefined,
  Symbol(kHandle): CipherBase {}
}

Actual Output

Cipheriv {
  _events: {
    close: undefined,
    error: undefined,
    prefinish: [Function: prefinish],
    finish: undefined,
    drain: undefined,
    data: undefined,
    end: undefined,
    readable: undefined
  },
  _readableState: ReadableState {
    highWaterMark: 65536,
    buffer: [],
    bufferIndex: 0,
    length: 0,
    pipes: [],
    awaitDrainWriters: null,
    [Symbol(kState)]: 1048844
  },
  _writableState: WritableState {
    highWaterMark: 65536,
    length: 0,
    corked: 0,
    onwrite: [Function: bound onwrite],
    writelen: 0,
    bufferedIndex: 0,
    pendingcb: 0,
    [Symbol(kState)]: 17580812,
    [Symbol(kBufferedValue)]: null
  },
  allowHalfOpen: true,
  _final: [Function: final],
  _maxListeners: undefined,
  _transform: [Function: transform],
  _eventsCount: 1,
  [Symbol(kCapture)]: false,
  [Symbol(kCallback)]: null
}

Mitigations

All users should upgrade to Deno v2.6.0 or newer.

ghsa
Open in Source
#vulnerability#js#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2026-22863

Deno node:crypto doesn’t finalize cipher

Critical severity GitHub Reviewed Published Jan 15, 2026 in denoland/deno • Updated Jan 16, 2026

Package

cargo deno (Rust)

Affected versions

<= 2.5.6

Summary

The vulnerability allows an attacker to have infinite encryptions.

This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets.

PoC

import crypto from "node:crypto";

const key = crypto.randomBytes(32); const iv = crypto.randomBytes(16); const cipher = crypto.createCipheriv("aes-256-cbc", key, iv); cipher.final()

console.log(cipher);

Expected Output

Cipheriv { _decoder: null, _options: undefined, Symbol(kHandle): CipherBase {} }

Actual Output

Cipheriv { _events: { close: undefined, error: undefined, prefinish: [Function: prefinish], finish: undefined, drain: undefined, data: undefined, end: undefined, readable: undefined }, _readableState: ReadableState { highWaterMark: 65536, buffer: [], bufferIndex: 0, length: 0, pipes: [], awaitDrainWriters: null, [Symbol(kState)]: 1048844 }, _writableState: WritableState { highWaterMark: 65536, length: 0, corked: 0, onwrite: [Function: bound onwrite], writelen: 0, bufferedIndex: 0, pendingcb: 0, [Symbol(kState)]: 17580812, [Symbol(kBufferedValue)]: null }, allowHalfOpen: true, _final: [Function: final], _maxListeners: undefined, _transform: [Function: transform], _eventsCount: 1, [Symbol(kCapture)]: false, [Symbol(kCallback)]: null }

Mitigations

All users should upgrade to Deno v2.6.0 or newer.

References

  • GHSA-5379-f5hf-w38v
  • https://nvd.nist.gov/vuln/detail/CVE-2026-22863
  • https://github.com/denoland/deno/releases/tag/v2.6.0

Published to the GitHub Advisory Database

Jan 16, 2026

Last updated

Jan 16, 2026

ghsa: Latest News

GHSA-mmwx-79f6-67jg: Weblate wlc path traversal vulnerability: Unsanitized API slugs in download command
ghsa