Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (snyk).
CVSS VectorVendor: snyk
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 34 npm packages depend on jsrsasign (9 direct, 25 indirect)
Ecosystem-wide dependent count for version 11.1.1.
DescriptionCVE.org
Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.
AnalysisAI
Cryptographic signature bypass in jsrsasign before 11.1.1 allows remote attackers to forge DSA signatures and X.509 certificates by supplying malicious domain parameters (g=1, y=1, r=1) that cause verification functions to incorrectly validate any message hash. This actively undermines authentication and integrity checks in applications using the library for JWT validation, certificate verification, or digital signatures. EPSS score is negligible (0.01%) despite proof-of-concept availability, and CISA SSVC classifies this as requiring proof-of-concept but not automatable, indicating targeted exploitation risk rather than widespread scanning.
Technical ContextAI
jsrsasign is a pure JavaScript cryptographic library implementing RSA, ECDSA, DSA signature schemes and X.509 certificate handling, commonly used in Node.js and browser environments for JWT token validation and PKI operations. The vulnerability (CWE-347: Improper Verification of Cryptographic Signature) exists in the DSA domain-parameter validation logic within KJUR.crypto.DSA.setPublic and related verification flows in src/dsa-2.0.js. DSA signature verification requires validating that domain parameters (p, q, g) and public key (y) satisfy mathematical properties - specifically that g generates a subgroup of order q. By accepting attacker-controlled parameters where g=1 and y=1, the verification equation (v = r) becomes trivially true when the attacker sets r=1, regardless of the message hash or actual signature value s. This bypasses the fundamental cryptographic assurance that only the holder of the private key can produce valid signatures.
RemediationAI
Upgrade jsrsasign to version 11.1.1 or later, which implements proper DSA domain-parameter validation per the fix in GitHub commit 37b4c06b145c7bfd6bc2a6df5d0a12c56b15ef60 and pull request #646 (https://github.com/kjur/jsrsasign/pull/646). Red Hat users should apply patches per their respective RHSA advisories. If immediate upgrade is not feasible, implement these compensating controls with noted trade-offs: (1) Disable DSA algorithm support in signature verification code and reject any certificates or tokens using DSA signatures - this breaks legitimate DSA-signed content but RSA and ECDSA remain functional; (2) Implement strict allowlisting of trusted certificate authorities and reject any certificates with unexpected issuers - reduces attack surface but requires maintaining CA lists and breaks dynamic trust scenarios; (3) Add pre-verification checks to reject DSA public keys where g=1 or y=1 before calling jsrsasign verification functions - requires modifying application code and understanding DSA parameter constraints. Do not rely solely on updating cryptographic libraries in transitive dependencies; verify that your application code and direct dependencies have also upgraded. Test thoroughly as cryptographic library updates can expose previously-masked implementation bugs in consuming applications.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14375
GHSA-wvqx-v3f6-w8rh