Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.3
Deno: Infinite Encryptions with Node Crypto
JLSEC-2026-114
Summary
Deno's crypto module in Node.js can be tricked into allowing an attacker to repeatedly perform encryption operations without finalizing the process, potentially leading to brute force attacks or attempts to uncover server secrets. To fix this, update to Deno v2.6.
What to do
- Update deno_jll to version 2.6.3+0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | deno_jll | <= 2.6.3+0 | 2.6.3+0 |
Original title
Deno node:crypto doesn't finalize cipher
Original description
### Summary
The vulnerability allows an attacker to have infinite encryptions.
This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets.
### PoC
```js
import crypto from "node:crypto";
const key = crypto.randomBytes(32);
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
cipher.final()
console.log(cipher);
```
### Expected Output
```js
Cipheriv {
_decoder: null,
_options: undefined,
Symbol(kHandle): CipherBase {}
}
```
### Actual Output
```js
Cipheriv {
_events: {
close: undefined,
error: undefined,
prefinish: [Function: prefinish],
finish: undefined,
drain: undefined,
data: undefined,
end: undefined,
readable: undefined
},
_readableState: ReadableState {
highWaterMark: 65536,
buffer: [],
bufferIndex: 0,
length: 0,
pipes: [],
awaitDrainWriters: null,
[Symbol(kState)]: 1048844
},
_writableState: WritableState {
highWaterMark: 65536,
length: 0,
corked: 0,
onwrite: [Function: bound onwrite],
writelen: 0,
bufferedIndex: 0,
pendingcb: 0,
[Symbol(kState)]: 17580812,
[Symbol(kBufferedValue)]: null
},
allowHalfOpen: true,
_final: [Function: final],
_maxListeners: undefined,
_transform: [Function: transform],
_eventsCount: 1,
[Symbol(kCapture)]: false,
[Symbol(kCallback)]: null
}
```
### Mitigations
All users should upgrade to Deno v2.6.0 or newer.
The vulnerability allows an attacker to have infinite encryptions.
This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets.
### PoC
```js
import crypto from "node:crypto";
const key = crypto.randomBytes(32);
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
cipher.final()
console.log(cipher);
```
### Expected Output
```js
Cipheriv {
_decoder: null,
_options: undefined,
Symbol(kHandle): CipherBase {}
}
```
### Actual Output
```js
Cipheriv {
_events: {
close: undefined,
error: undefined,
prefinish: [Function: prefinish],
finish: undefined,
drain: undefined,
data: undefined,
end: undefined,
readable: undefined
},
_readableState: ReadableState {
highWaterMark: 65536,
buffer: [],
bufferIndex: 0,
length: 0,
pipes: [],
awaitDrainWriters: null,
[Symbol(kState)]: 1048844
},
_writableState: WritableState {
highWaterMark: 65536,
length: 0,
corked: 0,
onwrite: [Function: bound onwrite],
writelen: 0,
bufferedIndex: 0,
pendingcb: 0,
[Symbol(kState)]: 17580812,
[Symbol(kBufferedValue)]: null
},
allowHalfOpen: true,
_final: [Function: final],
_maxListeners: undefined,
_transform: [Function: transform],
_eventsCount: 1,
[Symbol(kCapture)]: false,
[Symbol(kCallback)]: null
}
```
### Mitigations
All users should upgrade to Deno v2.6.0 or newer.
osv CVSS4.0
8.3
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026