CVE-2026-55517
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
A vulnerability in Deno before version 2.7.5 allows a remote WebSocket server to crash the Deno process by sending a response with Sec-WebSocket-Protocol or Sec-WebSocket-Extensions headers containing non-printable ASCII bytes (0x80-0xFF). The flaw is due to improper parsing of these headers, causing a panic that terminates the entire process.
Risk Assessment
A malicious WebSocket server can cause a denial of service (DoS) by crashing the Deno application, potentially disrupting critical services.
Recommendation
Upgrade Deno to version 2.7.5 or later immediately, which includes a fix for this vulnerability.
Original NVD description (English source)
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in a way that assumed their bytes were always printable ASCII. A response header containing non-visible-ASCII bytes (0x80-0xFF) caused a panic that aborted the entire Deno process. This vulnerability is fixed in 2.7.5.

