Horizon Alert
Summary of the vulnerability and why it matters
A vulnerability in the Deno runtime, specifically within its Node.js compatibility layer for TLS connections, could expose application data to unencrypted transmission if a connection attempt fails and retries. This could allow a network attacker to view or alter data that the application believes is securely transmitted. The primary concern is confirming if Deno is used in a context where this specific TLS connection retry behavior could be triggered and expose sensitive information.
- Data could be sent unencrypted during retries.
- Affects secure communication if retries occur.
- Confirm Deno's TLS retry usage and exposure.
Attack Path
How an attacker could exploit the issue
An attacker on the network could intercept sensitive application data if they can cause an initial TLS connection attempt to fail. This happens when Deno's Node.js compatibility layer tries to re-establish a connection after the first one fails, but it incorrectly reuses old settings. As a result, the connection is not secured with TLS, and data intended to be encrypted is sent in plain text.
- Network attacker can trigger failure.
- Stale TLS hook causes unencrypted data.
- Sensitive information leakage and tampering.
Live Threat
Current exploitation, exposure, and threat context
When Deno's Node.js TLS compatibility layer encounters a connection retry after an initial address-family attempt fails, application data could be transmitted in plaintext if `autoSelectFamily` is enabled. This occurs because a stale TLS upgrade hook may be reused, preventing the new TCP connection from being properly upgraded to TLS. A network attacker could exploit this by causing the initial connection to fail, then observing or tampering with data that the application believes is securely transmitted.
- Application data could be sent unencrypted.
- Network attackers could intercept traffic.
- Sensitive information could be exposed.
Operational Fix
Recommended remediation, mitigation, and detection steps
This vulnerability impacts Deno, a runtime environment used for various applications. Application owners or platform teams responsible for Deno deployments should initiate the first steps. This involves identifying all Deno instances, assessing their network exposure and criticality, and then planning remediation based on risk and potential operational impact.
- Deno application owners should lead remediation.
- Verify Deno instances and network exposure.
- Plan updates during scheduled maintenance.