CVE Catalog

CVE-2026-44726

HighCVSS 7.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile — higher than 4% of all known CVEs

Summary

In Deno from version 2.0.0 to 2.7.8, a vulnerability in the Node.js tls compatibility layer was found. When autoSelectFamily is enabled and the first address-family attempt fails, the reconnection may not be upgraded to TLS, causing application data to be transmitted in plaintext.

Risk Assessment

A network attacker who can cause the initial connection attempt to fail (e.g., by dropping IPv6 traffic on a dual-stack host) can intercept or tamper with traffic that the application believes is TLS-protected.

Recommendation

Update Deno to version 2.7.8 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When `autoSelectFamily was enabled and the first address-family attempt failed, the socket reinitialization path reused a stale TLS upgrade hook that was bound to the original, failed handle. As a result, the replacement TCP connection was never upgraded to TLS, and any data the application wrote before the secureConnect event travelled over the network unencrypted. A network attacker positioned to cause the initial connection attempt to fail (for example, by dropping IPv6 traffic on a dual-stack host) could deterministically trigger the fallback path and observe or tamper with traffic that the application believed was TLS-protected. This vulnerability is fixed in 2.7.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS