CVE-2026-4600

Summary

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.

Affected Software

VendorProductVersion RangeStatus
n/ajsrsasign0 < 11.1.1affected
n/aorg.webjars.npm:jsrsasign0 < *affected

Weaknesses

  • CWE-347: Improper Verification of Cryptographic Signature

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

jsrsasign: jsrsasign: Cryptographic signature forgery via malicious DSA domain parameters

Additional References

References