CVE Catalog

CVE-2026-55517

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

A vulnerability in Deno before version 2.7.5 allows a remote WebSocket server to crash the Deno process by sending a response with Sec-WebSocket-Protocol or Sec-WebSocket-Extensions headers containing non-printable ASCII bytes (0x80-0xFF). The flaw is due to improper parsing of these headers, causing a panic that terminates the entire process.

Risk Assessment

A malicious WebSocket server can cause a denial of service (DoS) by crashing the Deno application, potentially disrupting critical services.

Recommendation

Upgrade Deno to version 2.7.5 or later immediately, which includes a fix for this vulnerability.

Original NVD description (English source)

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in a way that assumed their bytes were always printable ASCII. A response header containing non-visible-ASCII bytes (0x80-0xFF) caused a panic that aborted the entire Deno process. This vulnerability is fixed in 2.7.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS