The vulnerability in denoland's Deno runtime affects the node:crypto.checkPrime(candidate[, options][, callback]) and crypto.checkPrimeSync(candidate[, options]) functions prior to version 2.8.1. When the options.checks parameter is set to its default value of 0, these functions skip the Miller-Rabin primality test rounds entirely, relying only on trial division by primes up to 17,863. This allows composite numbers whose smallest prime factor is greater than 17,863 to be falsely reported as probably prime. The lower-level op_node_check_prime and op_node_check_prime_bytes paths are also affected. This cryptographic step omission is classified under CWE-325 and is addressed by updating to Deno 2.8.1.

The vulnerability causes the primality checking functions to incorrectly identify certain composite numbers as prime, potentially undermining cryptographic operations that rely on accurate prime validation. This could lead to weakened cryptographic guarantees, impacting confidentiality and integrity in affected applications. The CVSS score of 7.4 reflects a high severity with network attack vector, high impact on confidentiality and integrity, and no privileges or user interaction required.

A fix is available in Deno version 2.8.1. Users should upgrade to version 2.8.1 or later to ensure the Miller-Rabin primality tests are properly performed. No other mitigation is indicated or required.