{"id":"JLSEC-2026-114","summary":"Deno node:crypto doesn't finalize cipher","details":"### Summary\n\nThe vulnerability allows an attacker to have infinite encryptions.\n\nThis can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets.\n\n### PoC\n\n```js\nimport crypto from \"node:crypto\";\n\nconst key = crypto.randomBytes(32);\nconst iv = crypto.randomBytes(16);\nconst cipher = crypto.createCipheriv(\"aes-256-cbc\", key, iv);\ncipher.final()\n\nconsole.log(cipher);\n```\n\n### Expected Output\n\n```js\nCipheriv {\n  _decoder: null,\n  _options: undefined,\n  Symbol(kHandle): CipherBase {}\n}\n```\n\n### Actual Output\n\n```js\nCipheriv {\n  _events: {\n    close: undefined,\n    error: undefined,\n    prefinish: [Function: prefinish],\n    finish: undefined,\n    drain: undefined,\n    data: undefined,\n    end: undefined,\n    readable: undefined\n  },\n  _readableState: ReadableState {\n    highWaterMark: 65536,\n    buffer: [],\n    bufferIndex: 0,\n    length: 0,\n    pipes: [],\n    awaitDrainWriters: null,\n    [Symbol(kState)]: 1048844\n  },\n  _writableState: WritableState {\n    highWaterMark: 65536,\n    length: 0,\n    corked: 0,\n    onwrite: [Function: bound onwrite],\n    writelen: 0,\n    bufferedIndex: 0,\n    pendingcb: 0,\n    [Symbol(kState)]: 17580812,\n    [Symbol(kBufferedValue)]: null\n  },\n  allowHalfOpen: true,\n  _final: [Function: final],\n  _maxListeners: undefined,\n  _transform: [Function: transform],\n  _eventsCount: 1,\n  [Symbol(kCapture)]: false,\n  [Symbol(kCallback)]: null\n}\n```\n\n### Mitigations\n\nAll users should upgrade to Deno v2.6.0 or newer.","modified":"2026-04-14T13:31:34.180022293Z","published":"2026-04-14T13:10:46.494Z","upstream":["CVE-2026-22863","EUVD-2026-2936","GHSA-5379-f5hf-w38v"],"database_specific":{"license":"CC-BY-4.0","sources":[{"id":"CVE-2026-22863","published":"2026-01-15T23:15:51.767Z","imported":"2026-04-14T12:58:55.191Z","url":"https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-22863","html_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22863","modified":"2026-01-21T14:35:52.730Z"},{"id":"GHSA-5379-f5hf-w38v","published":"2026-01-16T15:49:35Z","imported":"2026-04-14T12:58:59.776Z","url":"https://api.github.com/advisories/GHSA-5379-f5hf-w38v","modified":"2026-01-16T15:49:36Z","html_url":"https://github.com/advisories/GHSA-5379-f5hf-w38v"},{"id":"EUVD-2026-2936","published":"2026-01-15T22:53:15Z","imported":"2026-04-14T12:58:57.054Z","url":"https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2026-2936","html_url":"https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-2936","modified":"2026-01-16T17:16:41Z"}]},"references":[{"type":"WEB","url":"https://github.com/denoland/deno/releases/tag/v2.6.0"},{"type":"WEB","url":"https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22863"},{"type":"WEB","url":"https://github.com/advisories/GHSA-5379-f5hf-w38v"}],"affected":[{"package":{"name":"Deno_jll","ecosystem":"Julia","purl":"pkg:julia/Deno_jll?uuid=04572ae6-984a-583e-9378-9577a1c2574d"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.6.3+0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-114.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"}],"credits":[{"name":"davidebombelli","contact":["https://github.com/davidebombelli"],"type":"FINDER"},{"name":"vdata1","contact":["https://github.com/vdata1"],"type":"FINDER"},{"name":"reallyTG","contact":["https://github.com/reallyTG"],"type":"FINDER"}]}