CVE-2026-55517

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.7.5

Description A Deno program opening a client WebSocket connection can be crashed by a remote server. During the WebSocket handshake response, Deno parsed the 'Sec-WebSocket-Protocol' and 'Sec-WebSocket-Extensions' response headers assuming the bytes were printable ASCII. If a response header contains non-visible-ASCII bytes (0x80-0xFF), it triggers a panic in the HeaderValue::to str() function, which aborts the entire Deno process. This results in a remote denial of service where an attacker controlling the WebSocket endpoint or performing a man-in-the-middle attack on a plaintext 'ws://' connection can terminate the process that initiated the outbound connection.

Recommendations Update to version 2.7.5 or later. As a temporary workaround, only connect to trusted WebSocket endpoints and prefer 'wss://' (TLS) over 'ws://' to prevent network man-in-the-middle injection of malicious header bytes.