EUVD-2026-14373
GHSA-5jx8-q4cp-rhh6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Description
Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect compareTo checks that accept out-of-range candidates and thus bias DSA nonces during signature generation.
Analysis
The jsrsasign JavaScript cryptographic library contains a critical vulnerability in its random number generation functions that allows attackers to recover private DSA keys through nonce bias exploitation. Versions 7.0.0 through 11.1.0 are affected. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all internal and third-party applications using jsrsasign library versions 7.0.0-11.1.0; audit systems for DSA key usage; escalate findings to application owners. Within 7 days: Evaluate alternative cryptographic libraries (e.g., TweetNaCl.js, libsodium.js); begin migration planning; implement network monitoring for exploitation attempts. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today