Skip to main content

Jsrsasign EUVDEUVD-2026-14379

| CVE-2026-4602 HIGH
Incorrect Conversion between Numeric Types (CWE-681)
2026-03-23 snyk GHSA-8qwj-4jxw-m8jw
7.7
CVSS 4.0 · Vendor: snyk
Share

Severity by source

Vendor (snyk) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (snyk).

CVSS VectorVendor: snyk

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Jun 22, 2026 - 03:22 vuln.today
cvss_changed
CVSS changed
Jun 22, 2026 - 03:22 NVD
7.5 (HIGH) 7.7 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 23, 2026 - 05:45 euvd
EUVD-2026-14379
Analysis Generated
Mar 23, 2026 - 05:45 vuln.today
CVE Published
Mar 23, 2026 - 05:00 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 34 npm packages depend on jsrsasign (9 direct, 25 indirect)

Ecosystem-wide dependent count for version 11.1.1.

DescriptionCVE.org

Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.

AnalysisAI

The jsrsasign JavaScript library before version 11.1.1 contains a vulnerability that allows attackers to break signature verification by exploiting incorrect handling of negative exponents in modular exponentiation operations. This affects all versions prior to 11.1.1 of the jsrsasign package, enabling remote attackers without authentication to compromise cryptographic signature validation. A proof-of-concept exploit exists as indicated by the CVSS exploitability metric and public GitHub references demonstrating the attack technique.

Technical ContextAI

The jsrsasign library is a widely-used JavaScript implementation of JSON Web Signature, JSON Web Token, JSON Web Key and other cryptographic standards for web applications. The vulnerability (CWE-681: Incorrect Conversion between Numeric Types) resides in the ext/jsbn2.js file where the modPow function incorrectly handles negative exponents during modular exponentiation operations. When a negative exponent is passed to modPow, the function computes incorrect modular inverses, which are critical operations in RSA and other public-key cryptographic algorithms. The affected product is identified as cpe:2.3:a:n/a:jsrsasign:*:*:*:*:*:*:*:* covering all versions prior to the fix.

RemediationAI

Upgrade the jsrsasign package to version 11.1.1 or later, which contains the fix implemented in commit 5ea1c32bb2aa894b4bd29849839afe4f98728195 available at https://github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195. The patch was merged via pull request 650 at https://github.com/kjur/jsrsasign/pull/650. For npm-based projects, update the package.json dependency and run npm update or npm install to fetch the patched version. Until patching is complete, conduct thorough code review to identify any instances where external or untrusted input could influence the exponent parameter in modPow or related cryptographic operations, and implement input validation to reject negative exponent values. Additionally, consider implementing defense-in-depth measures such as cryptographic signature verification at multiple layers and enhanced logging of signature validation failures to detect potential exploitation attempts.

CVE-2020-14968 CRITICAL POC
9.8 Jun 22

An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Rated critical severity (CVSS 9.8), this vul

CVE-2020-14967 CRITICAL POC
9.8 Jun 22

An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Rated critical severity (CVSS 9.8), this vul

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2024-21484 MEDIUM POC
5.9 Jan 22

Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP

CVE-2026-4599 CRITICAL
9.3 Mar 23

The jsrsasign JavaScript cryptographic library contains a critical vulnerability in its random number generation functio

CVE-2021-30246 CRITICAL
9.1 Apr 07

In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized

CVE-2026-4601 HIGH
8.8 Mar 23

Private key recovery is possible in jsrsasign versions before 11.1.1 when attackers force invalid DSA signatures with ze

CVE-2026-4600 HIGH
8.1 Mar 23

Cryptographic signature bypass in jsrsasign before 11.1.1 allows remote attackers to forge DSA signatures and X.509 cert

CVE-2026-4598 HIGH
7.7 Mar 23

The jsrsasign JavaScript library contains an infinite loop vulnerability in the BigInteger.modInverse function that allo

CVE-2026-4603 LOW POC
2.0 Mar 23

jsrsasign versions before 11.1.1 contain a division by zero vulnerability in RSA public-key operations caused by imprope

Vendor StatusVendor

Share

EUVD-2026-14379 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy