jsrsasign: Missing cryptographic validation during DSA signing enables private key extraction

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation.

Recommendation

Update the jsrsasign package to the latest compatible version. Followings are version details:

• Affected version(s): < 11.1.1
• Patched version(s): 11.1.1

References

• GHSA-w8q8-93cx-6h7r
• security.snyk.io
• CVE-2026-4601
• CWE-325
• CAPEC-310
• OWASP 2021-A2
• OWASP 2021-A6

Related Issues

• jsrsasign: Incomplete Comparison Allows DSA Private Key Recovery via Biased Nonce Generation - CVE-2026-4599
• jsrsasign: DSA signatures or X.509 certificates can be forged via DSA domain-parameter validation in KJUR.crypto.DSA.set - CVE-2026-4600
• tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled envir - CVE-2024-49364
• secp256k1-node allows private key extraction over ECDH - CVE-2024-48930

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

jsrsasign