Deno's TLS retry copies stale upgrade hook, risking plaintext traffic

Summary A flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When autoSelectFamily was enabled and the first address-family attempt failed, the socket reinitialization path reused a stale TLS upgrade hook tha...

GHSA-CHQV-56WV-7564 Deno's TLS retry copies stale upgrade hook, risking plaintext traffic

Summary A flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When autoSelectFamily was enabled and the first address-family attempt failed, the socket reinitialization path reused a stale TLS upgrade hook tha...

CVE-2026-44726

creationtimestamp| type| source ---|---|--- 2026-05-27 13:04:30+00:00| published-proof-of-concept| https://github.com/denoland/deno/security/advisories/GHSA-chqv-56wv-7564...

PT-2026-44129

Summary A flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When autoSelectFamily was enabled and the first address-family attempt failed, the socket reinitialization path reused a stale TLS upgrade hook tha...

Fake software on GitHub and SourceForge distribute Deno RAT

During our threat hunting activities, we found fake installers and plugins impersonating popular software including ChatGPT, Claude, AutoTune, and Kontakt on GitHub and SourceForge distributing a Deno backdoor known as DinDoor. Attackers are using compromised YouTube channels to distribute links ...

CVE-2026-41690

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that...

GHSA-Q2QQ-HMJ6-3WPP vulnerabilities

Vulnerabilities for packages: deno, ztunnel, shadowsocks-rust...

GHSA-3V94-MW7P-V465 vulnerabilities

Vulnerabilities for packages: deno, ztunnel, shadowsocks-rust...

GHSA-Q2QQ-HMJ6-3WPP vulnerabilities

Vulnerabilities for packages: ztunnel-fips, shadowsocks-rust, komodo, deno, ztunnel...

GHSA-3V94-MW7P-V465 vulnerabilities

Vulnerabilities for packages: ztunnel-fips, shadowsocks-rust, komodo, deno, ztunnel...

CVE-2026-42327 vulnerabilities

Vulnerabilities for packages: deno, sdp-k8s-injector, vector, rustup, sqlx, rpm-sequoia, sccache...

GHSA-XP3W-R5P5-63RR vulnerabilities

Vulnerabilities for packages: deno, sdp-k8s-injector, vector, rustup, sqlx, rpm-sequoia, sccache...

CVE-2026-42327 vulnerabilities

Vulnerabilities for packages: rustls-openssl-client, sccache, sentry-cli, bootc, valkey-ldap, guestproxyagent, vector, rpm-sequoia, sqlx, typst, komodo, ztunnel-fips, deno, rustup, sdp-k8s-injector...

GHSA-XP3W-R5P5-63RR vulnerabilities

Vulnerabilities for packages: rustls-openssl-client, sccache, sentry-cli, bootc, valkey-ldap, guestproxyagent, vector, rpm-sequoia, sqlx, typst, komodo, ztunnel-fips, deno, rustup, sdp-k8s-injector...

CVE-2026-41898 vulnerabilities

Vulnerabilities for packages: rustls-openssl-client, sccache, sentry-cli, bootc, valkey-ldap, guestproxyagent, vector, rpm-sequoia, sqlx, typst, komodo, ztunnel-fips, deno, rustup, sdp-k8s-injector...

CVE-2026-41898 vulnerabilities

Vulnerabilities for packages: deno, sdp-k8s-injector, vector, rustup, sqlx, rpm-sequoia, sccache...

JLSEC-2026-111 Deno's --deny-write check does not prevent permission bypass

Summary Deno.FsFile.prototype.utime and Deno.FsFile.prototype.utimeSync are not limited by the permission model check --deny-write=./. It's possible to change to change the access atime and modification mtime times on the file stream resource even when the file is opened with read only permission...

JLSEC-2026-101

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service ReDoS due to the upgradeWebSocket function, which contains regexes in the form of /s,s/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to...

JLSEC-2026-102 Interactive `run` permission prompt spoofing via improper ANSI neutralization

Summary Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a opspawnchild or opkill prompt and replace it with any desired text. Details The main entry point comes down to the ability to override what the API control says 40process.js...

JLSEC-2026-100 Deno is vulnerable to race condition via interactive permission prompt spoofing

Impact Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program could clear the terminal screen after permission prompt was shown and write a generic message li...