Description
ECDSA side-channel attack named Minerava have been found and it was found that it affects to jsrsasign.
Execution time of thousands signature generation have been observed then EC private key which is scalar value may be recovered since point and scalar multiplication time depends on bits of scalar. In jsrsasign 8.0.
Recommendation
Update the jsrsasign package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.0.0, < 8.0.13
- Patched version(s): 8.0.13
References
Related Issues
- Bootstrap Cross-site Scripting vulnerability (GHSA-pj7m-g53m-7638) - CVE-2018-14041
- Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival - CVE-2025-59414
- @astrojs/node's trailing slash handling causes open redirect issue - CVE-2025-55207
- Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) - CVE-2025-8101
- Tags:
- npm
- jsrsasign
Anything's wrong? Let us know Last updated on January 09, 2023