CVE-2026-22863 — Missing Cryptographic Step in Deno

CWE-325 — Missing Cryptographic Step4 documents4 sources

Severity

9.2CRITICALNVD

EPSS

0.0%

top 99.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Denoland Deno Deno

Timeline

PublishedJan 15

Latest updateJan 16

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Affected Packages3 packages

▶NVDdeno/deno< 2.6.0

▶crates.iodeno/deno< 2.6.0

▶CVEListV5denoland/deno< 2.6.0

🔴Vulnerability Details

OSV

Deno node:crypto doesn't finalize cipher↗2026-01-16

▶

GHSA

Deno node:crypto doesn't finalize cipher↗2026-01-16

▶

🕵️Threat Intelligence

Wiz

CVE-2026-22863 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶