EUVD-2026-14380
GHSA-464q-cqxq-xhgr
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
5Description
Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.
Analysis
jsrsasign versions before 11.1.1 contain a division by zero vulnerability in RSA public-key operations caused by improper parsing of JWK moduli that decode to zero. An attacker can supply a malicious JWK to force RSA verify and encryption operations to produce deterministic zero outputs while suppressing invalid key errors, leading to cryptographic bypass and information disclosure. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today