CVE-2026-22863
Published: 15 January 2026
Summary
CVE-2026-22863 is a critical-severity Missing Cryptographic Step (CWE-325) vulnerability in Deno Deno. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22863 affects Deno, a runtime for JavaScript, TypeScript, and WebAssembly, specifically versions prior to 2.6.0. The vulnerability resides in the node:crypto module, which fails to properly finalize ciphers. This flaw, classified under CWE-325 (Missing Required Cryptographic Step), enables infinite encryptions without proper termination, as scored at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from network-based exploitation with low complexity and no privileges required.
Remote attackers without authentication can exploit this vulnerability by repeatedly invoking encryption operations that do not finalize. This allows naive brute-force attempts or more sophisticated attacks aimed at disclosing server secrets through analysis of the unending encryption streams.
Deno addressed the issue in version 2.6.0, as detailed in the release notes and security advisory GHSA-5379-f5hf-w38v. Security practitioners should upgrade to 2.6.0 or later to mitigate the risk, ensuring proper cipher finalization in node:crypto usage.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2936
Vulnerability details
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the…
more
goal to learn the server secrets. This vulnerability is fixed in 2.6.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of crypto flaw in public-facing Deno runtime enables T1190; explicit support for brute-force and stream analysis attacks maps to T1110.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates correct cryptographic protection mechanisms, directly requiring proper cipher finalization to prevent the infinite-encryption flaw in node:crypto.
Requires timely remediation of identified flaws such as the missing finalization step (CWE-325) by applying the vendor fix in Deno 2.6.0.
Enforces approved configuration settings that include using only patched runtime versions with correctly implemented cryptographic primitives.