Jsrsasign — CraftedSignal Threat Feed

Jsrsasign < 11.1.1 Incorrect Conversion Vulnerability (CVE-2026-4602)

hello@craftedsignal.io — Mon, 23 Mar 2026 06:16:22 +0000

Jsrsasign is a free open source cryptography library for JavaScript. Versions before 11.1.1 contain an incorrect conversion between numeric types due to improper handling of negative exponents in the ext/jsbn2.js file. This vulnerability, identified as CVE-2026-4602, allows an attacker to force the computation of incorrect modular inverses, leading to the potential breakage of signature verification. The vulnerability was reported and patched in March 2026. This could allow an attacker to…

Jsrsasign Infinite Loop Vulnerability (CVE-2026-4598)

hello@craftedsignal.io — Mon, 23 Mar 2026 06:16:21 +0000

The jsrsasign library, a popular JavaScript library for implementing cryptography standards, is susceptible to a denial-of-service vulnerability. Specifically, versions prior to 11.1.1 are vulnerable to CVE-2026-4598, where the bnModInverse function within ext/jsbn2.js can enter an infinite loop when processing zero or negative inputs to the BigInteger.modInverse function. An attacker can exploit this by providing maliciously crafted values (e.g., modInverse(0, m) or `modInverse(-1…

jsrsasign DSA Signing Vulnerability (CVE-2026-4601)

hello@craftedsignal.io — Mon, 23 Mar 2026 06:16:21 +0000

A vulnerability exists in jsrsasign versions prior to 11.1.1, specifically within the KJUR.crypto.DSA.signWithMessageHash function used for DSA signing. This flaw, identified as CVE-2026-4601, stems from a missing cryptographic step during signature generation. An attacker can exploit this by manipulating the process to force either the ‘r’ or ’s’ component of the signature to be zero. When this occurs, the library generates an invalid signature without retry, which then allows the attacker…