{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/jsrsasign/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["jsrsasign","vulnerability","signature-bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eJsrsasign is a free open source cryptography library for JavaScript. Versions before 11.1.1 contain an incorrect conversion between numeric types due to improper handling of negative exponents in the \u003ccode\u003eext/jsbn2.js\u003c/code\u003e file. This vulnerability, identified as CVE-2026-4602, allows an attacker to force the computation of incorrect modular inverses, leading to the potential breakage of signature verification. The vulnerability was reported and patched in March 2026. This could allow an attacker to…\u003c/p\u003e\n","date_modified":"2026-03-23T06:16:22Z","date_published":"2026-03-23T06:16:22Z","id":"/briefs/2026-03-jsrsasign-vuln/","summary":"Jsrsasign versions before 11.1.1 are vulnerable to an incorrect conversion between numeric types vulnerability, where an attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.","title":"Jsrsasign \u003c 11.1.1 Incorrect Conversion Vulnerability (CVE-2026-4602)","url":"https://feed.craftedsignal.io/briefs/2026-03-jsrsasign-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["denial-of-service","javascript","node.js","jsrsasign","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe jsrsasign library, a popular JavaScript library for implementing cryptography standards, is susceptible to a denial-of-service vulnerability. Specifically, versions prior to 11.1.1 are vulnerable to CVE-2026-4598, where the \u003ccode\u003ebnModInverse\u003c/code\u003e function within \u003ccode\u003eext/jsbn2.js\u003c/code\u003e can enter an infinite loop when processing zero or negative inputs to the \u003ccode\u003eBigInteger.modInverse\u003c/code\u003e function. An attacker can exploit this by providing maliciously crafted values (e.g., \u003ccode\u003emodInverse(0, m)\u003c/code\u003e or `modInverse(-1…\u003c/p\u003e\n","date_modified":"2026-03-23T06:16:21Z","date_published":"2026-03-23T06:16:21Z","id":"/briefs/2026-03-jsrsasign-infinite-loop/","summary":"Jsrsasign versions before 11.1.1 are vulnerable to an infinite loop via the bnModInverse function when processing zero or negative inputs, potentially leading to a denial of service.","title":"Jsrsasign Infinite Loop Vulnerability (CVE-2026-4598)","url":"https://feed.craftedsignal.io/briefs/2026-03-jsrsasign-infinite-loop/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["jsrsasign","dsa","missing-cryptographic-step","CVE-2026-4601"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists in jsrsasign versions prior to 11.1.1, specifically within the \u003ccode\u003eKJUR.crypto.DSA.signWithMessageHash\u003c/code\u003e function used for DSA signing. This flaw, identified as CVE-2026-4601, stems from a missing cryptographic step during signature generation. An attacker can exploit this by manipulating the process to force either the \u0026lsquo;r\u0026rsquo; or \u0026rsquo;s\u0026rsquo; component of the signature to be zero. When this occurs, the library generates an invalid signature without retry, which then allows the attacker…\u003c/p\u003e\n","date_modified":"2026-03-23T06:16:21Z","date_published":"2026-03-23T06:16:21Z","id":"/briefs/2026-03-jsrsasign-dsa/","summary":"jsrsasign versions before 11.1.1 are vulnerable to a missing cryptographic step in the DSA signing implementation, allowing an attacker to recover the private key by manipulating the signature generation process.","title":"jsrsasign DSA Signing Vulnerability (CVE-2026-4601)","url":"https://feed.craftedsignal.io/briefs/2026-03-jsrsasign-dsa/"}],"language":"en","title":"CraftedSignal Threat Feed — Jsrsasign","version":"https://jsonfeed.org/version/1.1"}