CVE-2026-55517: Deno: Denial of service via non-ASCII bytes in WebSocket response headers

June 17, 2026

A Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in a way that assumed their bytes were always printable ASCII. A response header containing non-visible-ASCII bytes (0x80-0xFF) caused a panic that aborted the entire Deno process.

References

github.com/advisories/GHSA-x2qc-cmh9-f4hf
github.com/denoland/deno/security/advisories/GHSA-x2qc-cmh9-f4hf
nvd.nist.gov/vuln/detail/CVE-2026-55517

Code Behaviors & Features

Detect and mitigate CVE-2026-55517 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →