CVE-2026-55517: 
Rust Analisi e mitigazione delle vulnerabilità

CVE-2026-55517 is a denial-of-service vulnerability in the Deno JavaScript/TypeScript runtime affecting all versions up to and including 2.7.4. During the WebSocket handshake, Deno incorrectly assumed that Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers would always contain printable ASCII bytes; non-visible-ASCII bytes (0x80–0xFF) in either header triggered an unrecoverable panic that aborted the entire Deno process. The vulnerability was published on June 17, 2026, and carries a CVSS v3.1 base score of 4.3 (Moderate) (GitHub Advisory, Deno Advisory).

The root cause is an uncaught exception (CWE-248): Deno's WebSocket client code called HeaderValue::to_str() on the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions headers from the server's 101 Switching Protocols response without handling the error case. HeaderValue::to_str() returns an Err for any byte outside the visible-ASCII range, and the unhandled error propagated as a Rust panic, terminating the process. Because the client initiates the connection, the server's handshake response is entirely attacker-controlled; a server returning bytes such as 0xFF 0xFE in either header is sufficient to trigger the crash. The fix in Deno 2.7.5 replaces the unwrap with graceful fallback logic that skips non-ASCII header values instead of panicking (GitHub Advisory, Deno Advisory).

The sole impact is availability: a malicious or compromised WebSocket server can crash any Deno client process that connects to it by returning non-ASCII bytes in the Sec-WebSocket-Protocol or Sec-WebSocket-Extensions handshake headers. There is no confidentiality or integrity impact, and no memory-safety concern. Applications that rely on persistent Deno processes (e.g., servers or long-running services that themselves open outbound WebSocket connections) are most at risk, as a crash would cause a complete service outage for that process (GitHub Advisory).

1. Set up a malicious WebSocket server: Configure a server to respond to WebSocket upgrade requests with a 101 Switching Protocols response that includes a Sec-WebSocket-Protocol or Sec-WebSocket-Extensions header containing non-visible-ASCII bytes (e.g., 0xFF 0xFE).
2. Lure the victim: Induce a vulnerable Deno application (version ≤ 2.7.4) to initiate a WebSocket connection to the malicious server — for example, by hosting a page or service that the Deno app is configured to connect to, or by social engineering.
3. Alternatively, perform MitM on ws://: For unencrypted ws:// connections, position between the Deno client and a legitimate server and inject non-ASCII bytes into the Sec-WebSocket-Protocol or Sec-WebSocket-Extensions headers of the 101 response.
4. Trigger the panic: When the Deno client receives the crafted header, HeaderValue::to_str() returns an error that is not handled, causing a Rust panic that aborts the entire Deno process, resulting in denial of service (GitHub Advisory).

• Logs: Deno process crash logs or stderr output containing Rust panic messages referencing WebSocket header parsing or HeaderValue::to_str() failures during a 101 Switching Protocols handshake.
• Network: Outbound WebSocket (ws://) connections from the Deno process to unexpected or untrusted endpoints, particularly those returning non-standard Sec-WebSocket-Protocol or Sec-WebSocket-Extensions header values.
• Process: Unexpected termination of the Deno runtime process immediately after establishing a WebSocket connection, with no application-level error handling triggered.

Upgrade to Deno 2.7.5 or later, which fixes the issue by gracefully skipping Sec-WebSocket-Protocol and Sec-WebSocket-Extensions header values that cannot be represented as ASCII strings instead of panicking. As a temporary workaround prior to upgrading, restrict Deno applications to connecting only to trusted WebSocket endpoints and prefer wss:// (TLS) over ws:// to prevent network-level man-in-the-middle injection of malicious header bytes (GitHub Advisory, Deno Advisory).