GHSA-5379-F5HF-W38V

Vulnerability from github – Published: 2026-01-16 15:49 – Updated: 2026-01-16 15:49
VLAI?
Summary
Deno node:crypto doesn't finalize cipher
Details

Summary

The vulnerability allows an attacker to have infinite encryptions.

This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets.

PoC

import crypto from "node:crypto";

const key = crypto.randomBytes(32);
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
cipher.final()

console.log(cipher);

Expected Output

Cipheriv {
  _decoder: null,
  _options: undefined,
  Symbol(kHandle): CipherBase {}
}

Actual Output

Cipheriv {
  _events: {
    close: undefined,
    error: undefined,
    prefinish: [Function: prefinish],
    finish: undefined,
    drain: undefined,
    data: undefined,
    end: undefined,
    readable: undefined
  },
  _readableState: ReadableState {
    highWaterMark: 65536,
    buffer: [],
    bufferIndex: 0,
    length: 0,
    pipes: [],
    awaitDrainWriters: null,
    [Symbol(kState)]: 1048844
  },
  _writableState: WritableState {
    highWaterMark: 65536,
    length: 0,
    corked: 0,
    onwrite: [Function: bound onwrite],
    writelen: 0,
    bufferedIndex: 0,
    pendingcb: 0,
    [Symbol(kState)]: 17580812,
    [Symbol(kBufferedValue)]: null
  },
  allowHalfOpen: true,
  _final: [Function: final],
  _maxListeners: undefined,
  _transform: [Function: transform],
  _eventsCount: 1,
  [Symbol(kCapture)]: false,
  [Symbol(kCallback)]: null
}

Mitigations

All users should upgrade to Deno v2.6.0 or newer.

Severity ?
9.2 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.5.6"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-325"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-16T15:49:35Z",
    "nvd_published_at": "2026-01-15T23:15:51Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nThe vulnerability allows an attacker to have infinite encryptions. \n\nThis can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets.\n\n### PoC\n```js\nimport crypto from \"node:crypto\";\n\nconst key = crypto.randomBytes(32);\nconst iv = crypto.randomBytes(16);\nconst cipher = crypto.createCipheriv(\"aes-256-cbc\", key, iv);\ncipher.final()\n\nconsole.log(cipher);\n```\n\n### Expected Output\n```js\nCipheriv {\n  _decoder: null,\n  _options: undefined,\n  Symbol(kHandle): CipherBase {}\n}\n```\n\n### Actual Output\n```js\nCipheriv {\n  _events: {\n    close: undefined,\n    error: undefined,\n    prefinish: [Function: prefinish],\n    finish: undefined,\n    drain: undefined,\n    data: undefined,\n    end: undefined,\n    readable: undefined\n  },\n  _readableState: ReadableState {\n    highWaterMark: 65536,\n    buffer: [],\n    bufferIndex: 0,\n    length: 0,\n    pipes: [],\n    awaitDrainWriters: null,\n    [Symbol(kState)]: 1048844\n  },\n  _writableState: WritableState {\n    highWaterMark: 65536,\n    length: 0,\n    corked: 0,\n    onwrite: [Function: bound onwrite],\n    writelen: 0,\n    bufferedIndex: 0,\n    pendingcb: 0,\n    [Symbol(kState)]: 17580812,\n    [Symbol(kBufferedValue)]: null\n  },\n  allowHalfOpen: true,\n  _final: [Function: final],\n  _maxListeners: undefined,\n  _transform: [Function: transform],\n  _eventsCount: 1,\n  [Symbol(kCapture)]: false,\n  [Symbol(kCallback)]: null\n}\n```\n\n### Mitigations\n\nAll users should upgrade to Deno v2.6.0 or newer.",
  "id": "GHSA-5379-f5hf-w38v",
  "modified": "2026-01-16T15:49:35Z",
  "published": "2026-01-16T15:49:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22863"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/releases/tag/v2.6.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Deno node:crypto doesn\u0027t finalize cipher"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.