Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (snyk).
CVSS VectorVendor: snyk
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 34 npm packages depend on jsrsasign (9 direct, 25 indirect)
Ecosystem-wide dependent count for version 11.1.1.
DescriptionCVE.org
Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature.
AnalysisAI
Private key recovery is possible in jsrsasign versions before 11.1.1 when attackers force invalid DSA signatures with zero r or s values during the signing process. The library fails to validate or retry these malformed signatures, allowing attackers to algebraically solve for the private key x from the emitted signature. Publicly available exploit code exists demonstrating the key recovery technique (EPSS: 0.02%, percentile 5%), though no confirmed active exploitation. Vendor-released patch: version 11.1.1.
Technical ContextAI
jsrsasign is a pure JavaScript cryptographic library implementing RSA, ECC, and DSA signing algorithms. The vulnerability affects the KJUR.crypto.DSA.signWithMessageHash function in the DSA (Digital Signature Algorithm) implementation, classified as CWE-325 (Missing Cryptographic Step). DSA signatures consist of two components (r, s) derived from a random nonce k and the private key x. Proper DSA implementations must validate that neither r nor s equals zero, as this mathematical edge case allows trivial private key extraction. The affected library (CPE: cpe:2.3:a:n/a:jsrsasign:*:*:*:*:*:*:*:*) lacks this critical validation step, emitting invalid signatures without retrying with a new nonce. An attacker who can observe or influence the signing process can force these zero-value conditions and then algebraically derive the private key from the invalid signature parameters.
RemediationAI
Upgrade jsrsasign to version 11.1.1 or later, which implements proper validation to reject signatures with r=0 or s=0 and retry with a new nonce as confirmed in GitHub commit 0710e392ec35de697ce11e4219c988ba2b5fe0eb and pull request 645 (https://github.com/kjur/jsrsasign/pull/645). For Node.js projects, update package.json to specify jsrsasign version >=11.1.1 and run npm update or yarn upgrade. Red Hat customers should apply platform-specific patches per advisories at https://access.redhat.com/errata/RHSA-2026:6912 and related RHSA bulletins. If immediate patching is not feasible, implement compensating controls: (1) Migrate DSA signing operations to ECDSA or RSA-PSS algorithms which are not affected by this specific flaw (trade-off: requires certificate reissuance and client compatibility verification), (2) Implement application-layer signature validation that rejects signatures where r=0 or s=0 before accepting them (trade-off: adds processing overhead and may break legitimate but rare edge cases), (3) Restrict signing operations to trusted internal services only, removing network accessibility (trade-off: limits architectural flexibility for distributed systems). Note that verification-only usage of jsrsasign does not expose the private key recovery vector.
An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Rated critical severity (CVSS 9.8), this vul
An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Rated critical severity (CVSS 9.8), this vul
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP
The jsrsasign JavaScript cryptographic library contains a critical vulnerability in its random number generation functio
In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized
Cryptographic signature bypass in jsrsasign before 11.1.1 allows remote attackers to forge DSA signatures and X.509 cert
The jsrsasign JavaScript library contains an infinite loop vulnerability in the BigInteger.modInverse function that allo
The jsrsasign JavaScript library before version 11.1.1 contains a vulnerability that allows attackers to break signature
jsrsasign versions before 11.1.1 contain a division by zero vulnerability in RSA public-key operations caused by imprope
Same weakness CWE-325 – Missing Cryptographic Step
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14377
GHSA-w8q8-93cx-6h7r