Skip to main content

Jsrsasign EUVDEUVD-2026-14371

| CVE-2026-4598 HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-03-23 snyk GHSA-8g7p-jf3g-gxcp
7.7
CVSS 4.0 · Vendor: snyk
Share

Severity by source

Vendor (snyk) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (snyk).

CVSS VectorVendor: snyk

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Jun 22, 2026 - 03:22 vuln.today
cvss_changed
CVSS changed
Jun 22, 2026 - 03:22 NVD
7.5 (HIGH) 7.7 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 23, 2026 - 05:45 euvd
EUVD-2026-14371
Analysis Generated
Mar 23, 2026 - 05:45 vuln.today
CVE Published
Mar 23, 2026 - 05:00 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 34 npm packages depend on jsrsasign (9 direct, 25 indirect)

Ecosystem-wide dependent count for version 11.1.1.

DescriptionCVE.org

Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values (e.g., modInverse(0, m) or modInverse(-1, m)).

AnalysisAI

The jsrsasign JavaScript library contains an infinite loop vulnerability in the BigInteger.modInverse function that allows remote attackers to permanently hang application processes through specially crafted zero or negative input values. All versions of jsrsasign prior to 11.1.1 are affected by this high-severity denial-of-service condition. A proof-of-concept exploit exists demonstrating the vulnerability, and the CVSS score of 7.5 reflects the ease of exploitation (network-accessible, low complexity, no authentication required).

Technical ContextAI

jsrsasign is a widely-used pure JavaScript cryptographic library implementing RSA, ECDSA, and other asymmetric cryptographic operations, commonly deployed in Node.js applications and browsers for JWT handling, certificate processing, and digital signatures. The vulnerability resides in the bnModInverse function within ext/jsbn2.js, which implements modular multiplicative inverse calculations for big integers (CWE-835: Loop with Unreachable Exit Condition). When the BigInteger.modInverse method receives zero or negative values as input (such as modInverse(0, m) or modInverse(-1, m)), the function enters an infinite loop due to insufficient input validation, causing the JavaScript execution environment to hang indefinitely. The affected product is identified via CPE cpe:2.3:a:n/a:jsrsasign:*:*:*:*:*:*:*:* covering all versions before the patched release.

RemediationAI

Immediately upgrade jsrsasign to version 11.1.1 or later, which includes input validation fixes implemented in commit ca5b027240287a1e71fe63019fc4400332594323 (see pull request at https://github.com/kjur/jsrsasign/pull/648). Organizations should audit all applications using jsrsasign by checking package.json dependencies and transitive dependencies, then update to the patched version through npm or yarn package managers. As an interim mitigation before patching, implement input validation at the application layer to reject zero, negative, or obviously malformed values before passing them to cryptographic functions, and consider rate limiting and timeout mechanisms on API endpoints that perform cryptographic operations to limit the blast radius of denial-of-service attempts. Web application firewalls can be configured to detect and block requests containing suspicious patterns in cryptographic operation parameters.

CVE-2020-14968 CRITICAL POC
9.8 Jun 22

An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Rated critical severity (CVSS 9.8), this vul

CVE-2020-14967 CRITICAL POC
9.8 Jun 22

An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Rated critical severity (CVSS 9.8), this vul

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2024-21484 MEDIUM POC
5.9 Jan 22

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP

CVE-2026-4599 CRITICAL
9.3 Mar 23

The jsrsasign JavaScript cryptographic library contains a critical vulnerability in its random number generation functio

CVE-2021-30246 CRITICAL
9.1 Apr 07

In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized

CVE-2026-4601 HIGH
8.8 Mar 23

Private key recovery is possible in jsrsasign versions before 11.1.1 when attackers force invalid DSA signatures with ze

CVE-2026-4600 HIGH
8.1 Mar 23

Cryptographic signature bypass in jsrsasign before 11.1.1 allows remote attackers to forge DSA signatures and X.509 cert

CVE-2026-4602 HIGH
7.7 Mar 23

The jsrsasign JavaScript library before version 11.1.1 contains a vulnerability that allows attackers to break signature

CVE-2026-4603 LOW POC
2.0 Mar 23

jsrsasign versions before 11.1.1 contain a division by zero vulnerability in RSA public-key operations caused by imprope

Vendor StatusVendor

Share

EUVD-2026-14371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy