EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the Deno runtime (rust/deno) affecting versions up to 2.8.0 for the primality‑test flaw and versions prior to 2.7.10 for the Windows command‑injection issue. The first vulnerability allows the `crypto.checkPrime` APIs to skip Miller‑Rabin rounds when the default `checks` value is zero, causing crafted composite numbers to be accepted as primes. The second vulnerability enables arbitrary command execution on Windows when `spawn`, `spawnSync`, or related functions are used with `shell:true` and untrusted arguments. Both flaws can undermine cryptographic trust and permit malicious code execution, posing significant confidentiality, integrity, and availability risks for Deno‑based applications.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the Deno runtime (rust/deno) affecting versions up to 2.8.0 for the primality‑test flaw and versions prior to 2.7.10 for the Windows command‑injection issue. The first vulnerability allows the `crypto.checkPrime` APIs to skip Miller‑Rabin rounds when the default `checks` value is zero, causing crafted composite numbers to be accepted as primes. The second vulnerability enables arbitrary command execution on Windows when `spawn`, `spawnSync`, or related functions are used with `shell:true` and untrusted arguments. Both flaws can undermine cryptographic trust and permit malicious code execution, posing significant confidentiality, integrity, and availability risks for Deno‑based applications.[emaillocker id="1283"]
• CVE-2026-49440 with a CVSS score of 7.4 – The flaw resides in Deno’s `crypto.checkPrime` and `crypto.checkPrimeSync` functions, where a default `checks` value of 0 disables Miller‑Rabin testing, allowing an attacker who can supply a candidate number to cause the runtime to treat a crafted composite as prime; exploitation requires only the ability to influence input to the prime‑validation routine.
• CVE-2026-49402 with a CVSS score of 8.1 – Deno’s `escapeShellArg` on Windows fails to properly quote arguments containing cmd.exe metacharacters when `shell:true` is used, enabling an attacker who controls any argument to inject additional commands such as launching `calc.exe`; the attack vector requires the victim application to invoke child_process with untrusted input and the shell option enabled.
These vulnerabilities collectively raise the urgency for organizations running Deno services to assess exposure, as the primality flaw can compromise cryptographic operations and the command‑injection flaw can lead to arbitrary code execution, potentially resulting in data breaches, loss of trust, and service interruption. Immediate risk evaluation and planning for remediation are strongly advised.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-9xg4-qhm4-g43w
https://github.com/advisories/GHSA-7xh3-mhg9-jcw8