jsrsasign: Incomplete Comparison Allows DSA Private Key Recovery via Biased Nonce Generation

Description

Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.

Recommendation

Update the jsrsasign package to the latest compatible version. Followings are version details:

• Affected version(s): >= 7.0.0, < 11.1.1
• Patched version(s): 11.1.1

References

• GHSA-5jx8-q4cp-rhh6
• security.snyk.io
• CVE-2026-4599
• CWE-1023
• CAPEC-310
• OWASP 2021-A6

Related Issues

• jsrsasign: Missing cryptographic validation during DSA signing enables private key extraction - CVE-2026-4601
• SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6 - CVE-2026-34526
• jsrsasign: DSA signatures or X.509 certificates can be forged via DSA domain-parameter validation in KJUR.crypto.DSA.set - CVE-2026-4600
• Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click - CVE-2026-43941

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

jsrsasign