jsrsasign: DSA signatures or X.509 certificates can be forged via DSA domain-parameter validation in KJUR.crypto.DSA.set

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.

Recommendation

Update the jsrsasign package to the latest compatible version. Followings are version details:

• Affected version(s): < 11.1.1
• Patched version(s): 11.1.1

References

• GHSA-wvqx-v3f6-w8rh
• security.snyk.io
• CVE-2026-4600
• CWE-347
• CAPEC-310
• OWASP 2021-A2
• OWASP 2021-A6

Related Issues

• jsrsasign: Missing cryptographic validation during DSA signing enables private key extraction - CVE-2026-4601
• jsrsasign: Incomplete Comparison Allows DSA Private Key Recovery via Biased Nonce Generation - CVE-2026-4599
• SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6 - CVE-2026-34526
• Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching - CVE-2026-46341

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

jsrsasign