EUVD-2026-14379
GHSA-8qwj-4jxw-m8jw
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 33 npm packages depend on jsrsasign (9 direct, 24 indirect)
Ecosystem-wide dependent count for version 11.1.1.
DescriptionNVD
Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.
AnalysisAI
The jsrsasign JavaScript library before version 11.1.1 contains a vulnerability that allows attackers to break signature verification by exploiting incorrect handling of negative exponents in modular exponentiation operations. This affects all versions prior to 11.1.1 of the jsrsasign package, enabling remote attackers without authentication to compromise cryptographic signature validation. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Audit all applications and dependencies to identify jsrsasign usage across the organization and document version numbers; notify relevant development and security teams. Within 7 days: Implement compensating controls including signature validation logging, disable jsrsasign-dependent features if non-critical, and deploy WAF rules to detect exploitation attempts; prioritize migration planning to alternative cryptographic libraries. …
Sign in for detailed remediation steps.
More from same product – last 7 days
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today