Deno Infinite Encryption Vulnerability in Node:Crypto Allowing Secret Leakage

A vulnerability in Deno's JavaScript and TypeScript runtime, specifically in the node:crypto module, allows for infinite encryption cycles without finalization. This issue, present in versions through 2.5.6, could lead to naive brute-force attempts or more sophisticated attacks aimed at uncovering server secrets. The vulnerability arises because the encryption process does not properly conclude, leaving room for exploitation.

Impact

Exploitation of this vulnerability could result in unauthorized access to server secrets, potentially allowing attackers to impersonate users or access restricted resources.

Reproduction

To reproduce this vulnerability, import the 'node:crypto' module and create a cipher using 'aes-256-cbc' encryption. After initiating the encryption process, call the 'final' method on the cipher. The expected output should indicate that the cipher has been finalized, but due to the vulnerability, the actual output will show that the cipher is still open and has not been properly closed.

Remediation

Users are advised to upgrade to Deno version 2.6.0 or later, where this vulnerability has been fixed.