Executive Summary

This vulnerability occurs in Deno versions prior to 2.7.5 when a Deno program opens a client WebSocket connection. During the WebSocket handshake, Deno parses the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers assuming they contain only printable ASCII bytes. If these headers contain non-visible ASCII bytes (values between 0x80 and 0xFF), the parsing causes a panic that crashes the entire Deno process.

This means a remote server or an attacker controlling the WebSocket server can cause any Deno application connecting to it to crash by sending specially crafted headers with non-ASCII bytes.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Deno to version 2.7.5 or later, where the vulnerability is fixed by improved header parsing that gracefully skips non-ASCII bytes instead of crashing.

Until you can upgrade, take the following immediate steps:

• Only connect to trusted WebSocket endpoints to avoid malicious servers sending crafted headers.
• Prefer secure WebSocket connections (wss://) over plaintext (ws://) to prevent man-in-the-middle attacks that could inject malicious headers.
• Monitor Deno processes for crashes related to WebSocket connections and restart them as needed.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability primarily affects the availability of Deno applications by allowing a remote attacker to crash the process through malformed WebSocket headers. It does not involve memory safety issues, information disclosure, or data integrity compromise.

Since the vulnerability does not lead to unauthorized access, data leakage, or modification, it has limited direct impact on compliance with data protection regulations such as GDPR or HIPAA, which focus on confidentiality, integrity, and privacy of personal data.

However, the availability impact could indirectly affect compliance if critical services relying on Deno are disrupted, potentially violating uptime or service availability requirements in certain regulatory contexts.

Useful 0 Not Useful 0

Impact Analysis

The primary impact of this vulnerability is availability. An attacker who controls the WebSocket server or can perform a man-in-the-middle attack on an unencrypted ws:// connection can cause the Deno application to crash unexpectedly.

This crash results in denial of service for the affected application, potentially disrupting services or workflows that rely on Deno WebSocket connections.

There is no impact on confidentiality or integrity, as the vulnerability does not lead to memory safety issues or information disclosure.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when a Deno program opens a client WebSocket connection and receives response headers containing non-ASCII bytes (0x80-0xFF) in the Sec-WebSocket-Protocol or Sec-WebSocket-Extensions headers, causing the Deno process to crash.

To detect this vulnerability on your system, monitor for unexpected crashes or panics in Deno processes that open WebSocket client connections, especially when connecting to untrusted or plaintext ws:// endpoints.

Since the issue is triggered by specific WebSocket handshake response headers, you can capture and inspect WebSocket handshake traffic using network tools like tcpdump or Wireshark to look for non-ASCII bytes in these headers.

Example commands to capture and inspect WebSocket handshake traffic:

• Use tcpdump to capture traffic on port 80 or 443 (adjust port as needed): tcpdump -i <interface> -s 0 -w capture.pcap port 80 or port 443
• Open the capture in Wireshark and filter for WebSocket handshake HTTP responses, then inspect the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions headers for non-ASCII bytes.
• Alternatively, run Deno with debugging or logging enabled to catch panics or crashes related to WebSocket connections.

Useful 0 Not Useful 0