jsrsasign: DSA signatures or X.509 certificates can be forged via DSA domain-parameter validation in KJUR.crypto.DSA.set

Severity:: High

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.

Recommendation

Update the jsrsasign package to the latest compatible version. Followings are version details:

Affected version(s): < 11.1.1
Patched version(s): 11.1.1

References

GHSA-wvqx-v3f6-w8rh
security.snyk.io
CVE-2026-4600
CWE-347
CAPEC-310
OWASP 2021-A2
OWASP 2021-A6

Related Issues

jsrsasign: Missing cryptographic validation during DSA signing enables private key extraction - CVE-2026-4601
jsrsasign: Incomplete Comparison Allows DSA Private Key Recovery via Biased Nonce Generation - CVE-2026-4599
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter - CVE-2026-30965
Parse Server has a protected field change detection oracle via LiveQuery watch parameter - CVE-2026-33429

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; jsrsasign

Anything's wrong? Let us know Last updated on March 30, 2026