EUVD-2026-14375
GHSA-wvqx-v3f6-w8rh
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Description
Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.
Analysis
A cryptographic signature verification vulnerability exists in the jsrsasign JavaScript library before version 11.1.1 that allows attackers to forge DSA signatures and X.509 certificates. The vulnerability affects DSA domain-parameter validation in KJUR.crypto.DSA.setPublic, enabling complete bypass of signature verification by supplying malicious domain parameters (g=1, y=1, r=1). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications and systems using jsrsasign library and assess whether DSA signature verification is actively used in production environments. Within 7 days: Implement network segmentation and WAF rules to restrict access to affected applications, disable DSA signature verification if not business-critical, and begin evaluation of alternative cryptographic libraries. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today