jsrsasign: Division by Zero Allows Invalid JWK Modulus to Cause Deterministic Zero Output in RSA Operations
- Severity:
- Low
Description
Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g.
Recommendation
Update the jsrsasign package to the latest compatible version. Followings are version details:
- Affected version(s): < 11.1.1
- Patched version(s): 11.1.1
References
Related Issues
- jsrsasign: Incomplete Comparison Allows DSA Private Key Recovery via Biased Nonce Generation - CVE-2026-4599
- jsrsasign is vulnerable to DoS through Infinite Loop when processing zero or negative inputs - CVE-2026-4598
- Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser - CVE-2026-33349
- StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings - CVE-2026-32104
You might also like:
- Tags:
- npm
- jsrsasign
Anything's wrong? Let us know Last updated on March 30, 2026