External risk intelligence

Deno TLS Compatibility Flaw Transmits Application Data in Plaintext

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-44726

Deno is a versatile runtime used for backend servers, CLI tools, and automation. While it can host internet-facing services, it is also frequently used for internal scripts and non-networked tasks. As the runtime is not a single-purpose edge device, its internet exposure depends entirely on the specific implementation and deployment context of the application.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Deno runtime, specifically within its Node.js compatibility layer for TLS connections, could expose application data to unencrypted transmission if a connection attempt fails and retries. This could allow a network attacker to view or alter data that the application believes is securely transmitted. The primary concern is confirming if Deno is used in a context where this specific TLS connection retry behavior could be triggered and expose sensitive information.

  • Data could be sent unencrypted during retries.
  • Affects secure communication if retries occur.
  • Confirm Deno's TLS retry usage and exposure.

Attack Path

How an attacker could exploit the issue

An attacker on the network could intercept sensitive application data if they can cause an initial TLS connection attempt to fail. This happens when Deno's Node.js compatibility layer tries to re-establish a connection after the first one fails, but it incorrectly reuses old settings. As a result, the connection is not secured with TLS, and data intended to be encrypted is sent in plain text.

  • Network attacker can trigger failure.
  • Stale TLS hook causes unencrypted data.
  • Sensitive information leakage and tampering.

Live Threat

Current exploitation, exposure, and threat context

When Deno's Node.js TLS compatibility layer encounters a connection retry after an initial address-family attempt fails, application data could be transmitted in plaintext if `autoSelectFamily` is enabled. This occurs because a stale TLS upgrade hook may be reused, preventing the new TCP connection from being properly upgraded to TLS. A network attacker could exploit this by causing the initial connection to fail, then observing or tampering with data that the application believes is securely transmitted.

  • Application data could be sent unencrypted.
  • Network attackers could intercept traffic.
  • Sensitive information could be exposed.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts Deno, a runtime environment used for various applications. Application owners or platform teams responsible for Deno deployments should initiate the first steps. This involves identifying all Deno instances, assessing their network exposure and criticality, and then planning remediation based on risk and potential operational impact.

  • Deno application owners should lead remediation.
  • Verify Deno instances and network exposure.
  • Plan updates during scheduled maintenance.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Deno and where is it used?

Deno is a versatile runtime for executing JavaScript, TypeScript, and WebAssembly code. Developers use it to build backend web servers, command-line interface tools, and automation scripts. Because it functions as a flexible execution environment rather than a single-purpose appliance, its role ranges from hosting internet-facing APIs to running private, internal utility tasks on local machines.

What does CWE-319 mean for CVE-2026-44726?

CWE-319 identifies a weakness in cleartext transmission of sensitive information. In this CVE, it describes a flaw where the Deno runtime mistakenly transmits application data without the intended TLS encryption. Even though your code might be configured to use secure connections, this underlying defect allows data to travel over the network in plaintext when specific connection retries occur.

How is this TLS flaw triggered?

The issue occurs when the `autoSelectFamily` setting is enabled and an initial connection attempt fails. Deno incorrectly reuses a stale TLS configuration from the failed attempt for the new connection, leaving the traffic unencrypted. This behavior does not trigger if `autoSelectFamily` is disabled, or if the connection attempt succeeds on the very first try without needing a retry.

Do I need to worry if my Deno app is internal?

According to Halo Surface Signal, risk depends on your specific deployment. If your application handles sensitive data and is reachable from an untrusted network, an attacker could force connection failures to trigger the unencrypted state. While internal apps face lower risk than internet-facing ones, any Deno instance using the affected Node.js compatibility layer should be evaluated for potential impact.

When should I update my Deno installation?

You should plan to update to Deno 2.7.8 or later during your next maintenance cycle. Start by identifying where Deno is running in your environment and determining if your applications rely on the affected TLS compatibility settings. Once mapped, prioritize updates for systems that process sensitive information or handle external network traffic to eliminate the risk of plaintext data transmission.

References