JLSEC-2026-114

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-114.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-114.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2026-114

Upstream

CVE-2026-22863

EUVD-2026-2936

GHSA-5379-f5hf-w38v

Published

2026-04-14T13:10:46.494Z

Modified

2026-04-14T13:31:34.180022293Z

Severity

9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator

Summary

Deno node:crypto doesn't finalize cipher

Details

Summary

The vulnerability allows an attacker to have infinite encryptions.

This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets.

PoC

import crypto from "node:crypto";

const key = crypto.randomBytes(32);
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
cipher.final()

console.log(cipher);

Expected Output

Cipheriv {
  _decoder: null,
  _options: undefined,
  Symbol(kHandle): CipherBase {}
}

Actual Output

Cipheriv {
  _events: {
    close: undefined,
    error: undefined,
    prefinish: [Function: prefinish],
    finish: undefined,
    drain: undefined,
    data: undefined,
    end: undefined,
    readable: undefined
  },
  _readableState: ReadableState {
    highWaterMark: 65536,
    buffer: [],
    bufferIndex: 0,
    length: 0,
    pipes: [],
    awaitDrainWriters: null,
    [Symbol(kState)]: 1048844
  },
  _writableState: WritableState {
    highWaterMark: 65536,
    length: 0,
    corked: 0,
    onwrite: [Function: bound onwrite],
    writelen: 0,
    bufferedIndex: 0,
    pendingcb: 0,
    [Symbol(kState)]: 17580812,
    [Symbol(kBufferedValue)]: null
  },
  allowHalfOpen: true,
  _final: [Function: final],
  _maxListeners: undefined,
  _transform: [Function: transform],
  _eventsCount: 1,
  [Symbol(kCapture)]: false,
  [Symbol(kCallback)]: null
}

Mitigations

All users should upgrade to Deno v2.6.0 or newer.

Database specific

{
    "sources": [
        {
            "modified": "2026-01-21T14:35:52.730Z",
            "id": "CVE-2026-22863",
            "published": "2026-01-15T23:15:51.767Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-22863",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22863",
            "imported": "2026-04-14T12:58:55.191Z"
        },
        {
            "modified": "2026-01-16T15:49:36Z",
            "id": "GHSA-5379-f5hf-w38v",
            "published": "2026-01-16T15:49:35Z",
            "url": "https://api.github.com/advisories/GHSA-5379-f5hf-w38v",
            "html_url": "https://github.com/advisories/GHSA-5379-f5hf-w38v",
            "imported": "2026-04-14T12:58:59.776Z"
        },
        {
            "modified": "2026-01-16T17:16:41Z",
            "published": "2026-01-15T22:53:15Z",
            "id": "EUVD-2026-2936",
            "url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-2936",
            "html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-2936",
            "imported": "2026-04-14T12:58:57.054Z"
        }
    ],
    "license": "CC-BY-4.0"
}

References

Credits

- davidebombelli - FINDER
- - https://github.com/davidebombelli
- vdata1 - FINDER
- - https://github.com/vdata1
- reallyTG - FINDER
- - https://github.com/reallyTG

Affected packages

Julia / Deno_jll

Package

Name: Deno_jll
Purl: pkg:julia/Deno_jll?uuid=04572ae6-984a-583e-9378-9577a1c2574d

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.6.3+0

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-114.json"