EUVD-2026-14377
GHSA-w8q8-93cx-6h7r
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
4Description
Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature.
Analysis
A cryptographic vulnerability in the jsrsasign JavaScript library allows attackers to recover DSA private keys through invalid signatures. Versions before 11.1.1 fail to validate and retry when DSA signature parameters r or s become zero during the signing process, enabling mathematical recovery of the private key from the malformed signature. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications and dependencies using jsrsasign library and identify those using DSA signatures in production. Within 7 days: Disable DSA signature functionality where possible, migrate to RSA or ECDSA alternatives, or isolate affected systems from untrusted network inputs. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today