Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (snyk).
CVSS VectorVendor: snyk
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect compareTo checks that accept out-of-range candidates and thus bias DSA nonces during signature generation.
AnalysisAI
The jsrsasign JavaScript cryptographic library contains a critical vulnerability in its random number generation functions that allows attackers to recover private DSA keys through nonce bias exploitation. Versions 7.0.0 through 11.1.0 are affected. A proof-of-concept is publicly available (referenced in GitHub Gist), demonstrating the attack feasibility, and the vulnerability requires no authentication or user interaction for remote exploitation.
Technical ContextAI
jsrsasign is a widely-used pure JavaScript implementation of cryptographic operations including RSA, DSA, ECC, and X.509 certificates, commonly deployed in Node.js applications and browser-based cryptography. The vulnerability stems from CWE-1023 (Incomplete Comparison with Missing Factors) in the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions within src/crypto-1.1.js. These functions incorrectly validate randomly generated numbers through flawed compareTo checks, allowing out-of-range values to be accepted as valid candidates. When used for DSA signature generation, this flaw creates a measurable bias in the nonce values, which can be exploited through mathematical analysis of multiple signatures to extract the private signing key, fundamentally breaking the security guarantees of DSA.
RemediationAI
Immediately upgrade jsrsasign to version 11.1.1 or later, which addresses the flawed random number generation logic through the fix implemented in GitHub pull request 647 (https://github.com/kjur/jsrsasign/pull/647) and committed as ee4b013478366cb16cea9a4bdfb218b6077f83b1 (https://github.com/kjur/jsrsasign/commit/ee4b013478366cb16cea9a4bdfb218b6077f83b1). Review the Snyk advisory at https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370939 for additional guidance. Organizations unable to immediately upgrade should rotate all DSA keys that were generated or used with affected versions, as previously generated signatures may have already leaked information about the private key. Consider migrating from DSA to more modern signature algorithms like ECDSA or EdDSA where feasible, as DSA is increasingly deprecated in favor of more robust alternatives.
An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Rated critical severity (CVSS 9.8), this vul
An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Rated critical severity (CVSS 9.8), this vul
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP
In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized
Private key recovery is possible in jsrsasign versions before 11.1.1 when attackers force invalid DSA signatures with ze
Cryptographic signature bypass in jsrsasign before 11.1.1 allows remote attackers to forge DSA signatures and X.509 cert
The jsrsasign JavaScript library contains an infinite loop vulnerability in the BigInteger.modInverse function that allo
The jsrsasign JavaScript library before version 11.1.1 contains a vulnerability that allows attackers to break signature
jsrsasign versions before 11.1.1 contain a division by zero vulnerability in RSA public-key operations caused by imprope
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14373
GHSA-5jx8-q4cp-rhh6