jsrsasign: Division by Zero Allows Invalid JWK Modulus to Cause Deterministic Zero Output in RSA Operations

Severity:: Low

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g.

Recommendation

Update the jsrsasign package to the latest compatible version. Followings are version details:

Affected version(s): < 11.1.1
Patched version(s): 11.1.1

References

GHSA-464q-cqxq-xhgr
security.snyk.io
CVE-2026-4603
CWE-369
CAPEC-310
OWASP 2021-A6

Related Issues

jsrsasign: Incomplete Comparison Allows DSA Private Key Recovery via Biased Nonce Generation - CVE-2026-4599
jsrsasign is vulnerable to DoS through Infinite Loop when processing zero or negative inputs - CVE-2026-4598
Marvin Attack of RSA and RSAOAEP decryption in jsrsasign - CVE-2024-21484
Axios: no_proxy bypass via IP alias allows SSRF - CVE-2026-42038

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; jsrsasign

Anything's wrong? Let us know Last updated on March 30, 2026