{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/plaintext/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["deno"],"_cs_severities":["high"],"_cs_tags":["deno","tls","plaintext","vulnerability"],"_cs_type":"advisory","_cs_vendors":["rust"],"content_html":"\u003cp\u003eDeno, a modern runtime for JavaScript and TypeScript, contains a flaw within its Node.js tls compatibility layer that can lead to plaintext transmission of sensitive data. Specifically, when using the \u003ccode\u003enode:tls\u003c/code\u003e or \u003ccode\u003enode:https\u003c/code\u003e APIs with the default \u003ccode\u003eautoSelectFamily\u003c/code\u003e option enabled, a failed initial connection attempt can cause a subsequent retry to occur without proper TLS negotiation. This occurs because the socket reinitialization process reuses a stale TLS upgrade hook associated with the original, unsuccessful handle. An attacker who can manipulate network conditions to induce this initial failure can then observe or modify the data transmitted by the client application. This vulnerability affects Deno versions 2.0.0 through 2.7.7 and poses a significant risk to applications relying on TLS for secure communication. The vulnerability is tracked as CVE-2026-44726.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim application initiates a TLS connection using \u003ccode\u003enode:tls\u003c/code\u003e or \u003ccode\u003enode:https\u003c/code\u003e with \u003ccode\u003eautoSelectFamily\u003c/code\u003e enabled.\u003c/li\u003e\n\u003cli\u003eThe application resolves the target hostname to multiple IP addresses, including an unreachable address (e.g., IPv6 address).\u003c/li\u003e\n\u003cli\u003eThe initial connection attempt to the unreachable address fails (e.g., due to dropped IPv6 traffic).\u003c/li\u003e\n\u003cli\u003eDeno\u0026rsquo;s tls compatibility layer attempts to retry the connection using a different resolved IP address (e.g., IPv4).\u003c/li\u003e\n\u003cli\u003eThe socket reinitialization process reuses a stale TLS upgrade hook from the failed connection attempt.\u003c/li\u003e\n\u003cli\u003eThe subsequent TCP connection is established without being upgraded to TLS.\u003c/li\u003e\n\u003cli\u003eThe victim application writes data to the socket before the \u003ccode\u003esecureConnect\u003c/code\u003e event is triggered. This data includes sensitive information like API keys and card numbers.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the plaintext data transmitted over the unencrypted TCP connection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a network attacker to observe and potentially tamper with data that the victim application believes is protected by TLS. This can lead to the disclosure of sensitive information such as API keys, authentication tokens, and financial data like credit card numbers. The proof-of-concept demonstrates the exposure of an \u003ccode\u003eAuthorization\u003c/code\u003e header containing a secret bearer token and card details. Applications that transmit sensitive data over TLS using vulnerable versions of Deno are at risk. The number of potential victims is difficult to estimate, but any application using the affected Deno versions with \u003ccode\u003enode:tls\u003c/code\u003e or \u003ccode\u003enode:https\u003c/code\u003e is susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Deno to version 2.7.8 or later to patch CVE-2026-44726.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to unexpected destinations without TLS negotiation to identify potential exploitation attempts based on the attack chain described above.\u003c/li\u003e\n\u003cli\u003eConsider disabling \u003ccode\u003eautoSelectFamily\u003c/code\u003e in \u003ccode\u003enode:tls\u003c/code\u003e and \u003ccode\u003enode:https\u003c/code\u003e if upgrading is not immediately feasible. This will prevent the vulnerable connection retry behavior, although it may impact connectivity in certain network environments.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect Deno Plaintext TLS Communication\u0026rdquo; Sigma rule to identify potentially vulnerable Deno processes attempting to communicate without proper TLS encryption.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T19:52:28Z","date_published":"2026-05-27T19:52:28Z","id":"https://feed.craftedsignal.io/briefs/2026-05-deno-tls-plaintext/","summary":"A vulnerability in Deno's Node.js tls compatibility layer (versions 2.0.0 to 2.7.7) allows a network attacker to intercept and tamper with plaintext application data transmitted over a supposedly TLS-protected connection when `autoSelectFamily` is enabled and the initial connection attempt fails, leading to potential information disclosure and data manipulation.","title":"Deno TLS Plaintext Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-deno-tls-plaintext/"}],"language":"en","title":"CraftedSignal Threat Feed — Plaintext","version":"https://jsonfeed.org/version/1.1"}