AIKIDO-2026-10372
deno is vulnerable to Broken Cryptographic Algorithm
72
High Risk
This Affects:
denoTL;DR
Deno's node:crypto DH and ECDH implementations contain multiple crypto bugs. DH group key generation misinterprets modulus endianness (BigUint::from_slice), producing wrong shared secrets; key derivation can panic; PKCS#8/SPKI parsing and export mis-handle DER INTEGERs. ECDH's op_node_ecdh_compute_public_key uses a 33-byte buffer where 65 bytes are expected, causing a panic; setPrivateKey() and getPublicKey() mishandle encoding and hybrid format. Before the fix, key agreement could yield incorrect or incompatible shared secrets (weakening or breaking confidentiality), and the process could crash (DoS). The patch fixes endianness, modular exponentiation, DER encoding, and ECDH buffer/key handling.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
deno is vulnerable to Broken Cryptographic Algorithm in versions 2.0.0 - 2.7.4.
How to fix this
Upgrade the deno library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant