Skip to main content

Jsrsasign CVE-2026-4603

| EUVD-2026-14380 LOW
Divide By Zero (CWE-369)
2026-03-23 snyk GHSA-464q-cqxq-xhgr
Information Disclosure Jsrsasign
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.9 (MEDIUM) 2.0 (LOW)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
PoC Detected
Mar 23, 2026 - 16:08 vuln.today
Public exploit code
EUVD ID Assigned
Mar 23, 2026 - 05:45 euvd
EUVD-2026-14380
Analysis Generated
Mar 23, 2026 - 05:45 vuln.today
CVE Published
Mar 23, 2026 - 05:00 nvd
MEDIUM 5.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 33 npm packages depend on jsrsasign (9 direct, 24 indirect)

Ecosystem-wide dependent count for version 11.1.1.

DescriptionCVE.org

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.

AnalysisAI

jsrsasign versions before 11.1.1 contain a division by zero vulnerability in RSA public-key operations caused by improper parsing of JWK moduli that decode to zero. An attacker can supply a malicious JWK to force RSA verify and encryption operations to produce deterministic zero outputs while suppressing invalid key errors, leading to cryptographic bypass and information disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS 3.1 base score of 5.9 (Medium) with vector AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L indicates low attack complexity and no privileges required, but the local attack vector constrains exploitability to scenarios where an attacker can supply malicious input to a local or trusted process. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker provides a malicious JWK to a web application that uses jsrsasign to verify JWT signatures from a federated identity provider. The JWK has a valid structure but the modulus field decodes to zero. …
Remediation Immediately upgrade jsrsasign to version 11.1.1 or later via npm (npm install jsrsasign@^11.1.1) or equivalent package manager. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-4603 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy