Description
ECDSA side-channel attack named Minerava have been found and it was found that it affects to jsrsasign.
Execution time of thousands signature generation have been observed then EC private key which is scalar value may be recovered since point and scalar multiplication time depends on bits of scalar. In jsrsasign 8.0.
Recommendation
Update the jsrsasign package to the latest compatible version. Followings are version details:
- Affected version(s): >= 4.0.0, < 8.0.13
- Patched version(s): 8.0.13
References
Related Issues
- Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival - CVE-2025-59414
- Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) - CVE-2025-8101
- Marked allows Regular Expression Denial of Service (ReDoS) attacks - CVE-2018-25110
- tarteaucitron.js allows url scheme injection via unfiltered inputs - CVE-2025-31476
- Tags:
- npm
- jsrsasign
Anything's wrong? Let us know Last updated on January 09, 2023