Executive Summary

This vulnerability exists in Deno's Node.js TLS compatibility layer when the `autoSelectFamily` option is enabled. If the first attempt to connect using one address family (like IPv6) fails, the system retries with another address family (like IPv4). However, during this retry, the socket reinitializes but mistakenly reuses an old TLS upgrade hook from the failed connection. This causes the new TCP connection to not be upgraded to TLS, meaning data sent before the secure connection is fully established is transmitted in plaintext over the network.

An attacker who can cause the initial connection attempt to fail (for example, by dropping IPv6 traffic on a dual-stack host) can exploit this flaw to intercept or modify sensitive data that the application believes is protected by TLS.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the exposure of sensitive information such as authentication tokens and request bodies because data that should be encrypted is sent in plaintext. An attacker positioned on the network can observe or tamper with this data, compromising confidentiality and integrity.

The impact includes potential unauthorized access, data leakage, and manipulation of transmitted data, which can undermine the security of applications relying on Deno's TLS implementation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring network traffic for unexpected plaintext transmission of data that should be encrypted by TLS, especially after connection retries when using Deno's Node.js TLS compatibility layer with autoSelectFamily enabled.

Specifically, look for application data sent in cleartext before the TLS secureConnect event, which indicates the socket was not properly upgraded to TLS.

Commands to help detect this might include using network packet capture tools such as tcpdump or Wireshark to inspect traffic on affected hosts for unencrypted sensitive data on ports normally secured by TLS (e.g., port 443). For example:

• tcpdump -i <interface> -A port 443
• wireshark filtering for TLS traffic and checking for any plaintext application data before the TLS handshake completes

Additionally, reviewing application logs or enabling debug logging in Deno for TLS connection events might help identify if the secureConnect event is delayed or missing after connection retries.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Deno to version 2.7.8 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, consider disabling or carefully managing the use of the autoSelectFamily feature to avoid triggering the fallback path that causes the TLS upgrade failure.

Also, avoid writing application data to the socket before the secureConnect event has occurred to prevent sending unencrypted data.

Network administrators can also monitor and prevent attackers from causing initial connection failures, such as by ensuring IPv6 traffic is not dropped on dual-stack hosts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes application data to be transmitted in plaintext over the network after a connection retry, exposing sensitive information such as authentication tokens and request bodies to potential interception or tampering by attackers.

Such exposure of sensitive data in transit can lead to violations of common security requirements found in standards and regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information during transmission.

Therefore, applications using affected versions of Deno with the vulnerable TLS compatibility layer may fail to meet compliance obligations related to data confidentiality and integrity until the vulnerability is patched.

Useful 0 Not Useful 0