Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN050
_____________________________________________________________________

DATE                : 19/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Deno versions prior to 2.6.0.

=====================================================================
https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v
https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6
_____________________________________________________________________

`node:crypto` doesn't finalize cipher
Critical
bartlomieju published GHSA-5379-f5hf-w38v Jan 15, 2026

Package
node:crypto (Deno)

Affected versions
<= 2.5.6

Patched versions
2.6.0


Description

Summary

The vulnerability allows an attacker to have infinite encryptions.

This can lead to naive attempts at brute forcing, as well as more
refined attacks with the goal to learn the server secrets.


PoC

import crypto from "node:crypto";

const key = crypto.randomBytes(32);
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
cipher.final()

console.log(cipher);

Expected Output

Cipheriv {
  _decoder: null,
  _options: undefined,
  Symbol(kHandle): CipherBase {}
}

Actual Output

Cipheriv {
  _events: {
    close: undefined,
    error: undefined,
    prefinish: [Function: prefinish],
    finish: undefined,
    drain: undefined,
    data: undefined,
    end: undefined,
    readable: undefined
  },
  _readableState: ReadableState {
    highWaterMark: 65536,
    buffer: [],
    bufferIndex: 0,
    length: 0,
    pipes: [],
    awaitDrainWriters: null,
    [Symbol(kState)]: 1048844
  },
  _writableState: WritableState {
    highWaterMark: 65536,
    length: 0,
    corked: 0,
    onwrite: [Function: bound onwrite],
    writelen: 0,
    bufferedIndex: 0,
    pendingcb: 0,
    [Symbol(kState)]: 17580812,
    [Symbol(kBufferedValue)]: null
  },
  allowHalfOpen: true,
  _final: [Function: final],
  _maxListeners: undefined,
  _transform: [Function: transform],
  _eventsCount: 1,
  [Symbol(kCapture)]: false,
  [Symbol(kCallback)]: null
}

Mitigations

All users should upgrade to Deno v2.6.0 or newer.


Severity
Critical
9.2/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality High
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

CVE ID
CVE-2026-22863

Weaknesses
Weakness CWE-325


Credits

    @davidebombelli davidebombelli Finder
    @vdata1 vdata1 Finder
    @reallyTG reallyTG Finder

_____________________________________________________________________

Incomplete fix for command-injection prevention on Windows —
case-insensitive extension bypass

High
bartlomieju published GHSA-m3c4-prhw-mrx6 Jan 15, 2026

Package
No package listed

Affected versions
< 2.5.6

Patched versions
2.5.6


Description

Summary


A prior patch aimed to block spawning Windows batch/shell files by 
returning an error when a spawned path’s extension matched .bat or 
.cmd. That check performs a case-sensitive comparison against 
lowercase literals and therefore can be bypassed when the extension 
uses alternate casing (for example .BAT, .Bat, etc.).


POC

const command = new Deno.Command('./test.BAT', {
  args: ['&calc.exe'],
});
const child = command.spawn();

This causes calc.exe to be launched; see the attached screenshot for 
evidence.

Patched in CVE-2025-61787 — prevents execution of .bat and .cmd files:
photo_2025-10-10 02 27 23

Bypass of the patched vulnerability:
photo_2025-10-10 02 27 25


Impact

The script launches calc.exe on Windows, demonstrating that passing 
user-controlled arguments to a spawned batch script can result in 
command-line injection.


Mitigation

Users should update to Deno v2.5.6 or newer.


Severity
High
8.1/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2026-22864

Weaknesses
Weakness CWE-77

Credits

    @SharokhAtaie SharokhAtaie Reporter

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================