CVE-2026-49440

HIGH 7.4

Deno: Miller-Rabin Primality Test Allows Zero Rounds

CVSS Score

7.4

EPSS Score

0.0%

EPSS Percentile

0th

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, node:crypto.checkPrime(candidate[, options][, callback]) and crypto.checkPrimeSync(candidate[, options]) ran no Miller-Rabin rounds at all when the caller left options.checks at its default of 0. In that mode, the only test applied to the candidate was trial division by the primes up to 17,863. Any composite whose smallest prime factor exceeds that bound — for example the product of two primes just above it, such as 17,881 × 17,891 — was reported as true ("probably prime"). The same divergence affected the lower-level op_node_check_prime / op_node_check_prime_bytes paths that the polyfill calls into. This vulnerability is fixed in 2.8.1.

CWE	CWE-325
Vendor	denoland
Product	deno
Published	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for denoland deno

Be the first to know when new high vulnerabilities affecting denoland deno are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

denoland / deno

< 2.8.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/denoland/deno/security/advisories/GHSA-9xg4-qhm4-g43w github.com: https://github.com/denoland/deno/pull/34391