CVE-2026-22863
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: GitHub, Inc.

Description
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-22863
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
denoland deno 2.6.0
denoland deno to 2.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-325 The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the node:crypto module of Deno versions before 2.6.0, where the cipher object created for encryption does not properly finalize when cipher.final() is called. Instead of completing the encryption process, the cipher remains in an incomplete state, allowing an attacker to perform infinite encryptions. This flaw enables both naive brute force attacks and more sophisticated attempts to extract server secrets. [2]

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive information by allowing attackers to perform infinite encryptions and attempt to brute force or extract server secrets. It has a high impact on confidentiality but does not affect integrity or availability. The attack can be performed remotely with no privileges or user interaction required. [2]

Detection Guidance

Detection can involve checking the Deno runtime version to identify if it is vulnerable (versions before 2.6.0). Since the vulnerability involves the node:crypto module's cipher not finalizing properly, monitoring for unusual or repeated encryption operations that do not complete may help. However, no specific detection commands are provided in the resources. A practical step is to run `deno --version` to verify the installed version. If it is below 2.6.0, the system is vulnerable. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the Deno runtime to version 2.6.0 or later, where the vulnerability is fixed. This upgrade resolves the issue with the cipher not finalizing encryption properly, preventing infinite encryptions and reducing the risk of brute force or secret extraction attacks. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22863. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart