Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When `autoSelectFamily was enabled and the first address-family attempt failed, the socket reinitialization path reused a stale TLS upgrade hook that was bound to the original, failed handle. As a result, the replacement TCP connection was never upgraded to TLS, and any data the application wrote before the secureConnect event travelled over the network unencrypted. A network attacker positioned to cause the initial connection attempt to fail (for example, by dropping IPv6 traffic on a dual-stack host) could deterministically trigger the fallback path and observe or tamper with traffic that the application believed was TLS-protected. This vulnerability is fixed in 2.7.8.
Severity (CVSS)
| Base score | 7.4 |
|---|---|
| Severity | High |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Provided by | CNA |
Weaknesses
- CWE-319 — CWE-319: Cleartext Transmission of Sensitive Information
Affected products
| Vendor | Product | Versions |
|---|---|---|
| denoland | deno | >= 2.0.0, < 2.7.8 |
References
- https://github.com/denoland/deno/security/advisories/GHSA-chqv-56wv-7564 (x_refsource_CONFIRM)
Generated from the official CVE List on 24 Jun 2026 09:35 UTC.