jsrsasign
npm9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting jsrsasignpage 1 of 1
- CVE-2020-14966HIGHCVSS 7.5EG 7.5✓ Fixed in 8.0.192020-06-22
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and '0' characters appended or prepended to an integer. The mod…
- CVE-2020-14967CRITICALCVSS 9.8EG 9.8✓ Fixed in 8.0.182020-06-22
An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending '\0' bytes to ciphertexts (it decrypts modified ciphertexts with…
- CVE-2020-14968CRITICALCVSS 9.8EG 9.8✓ Fixed in 8.0.172020-06-22
An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified sign…
- CVE-2021-30246CRITICALCVSS 9.1EG 9.1✓ Fixed in 10.2.02021-04-07
In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. NOTE: there is no known practical attack.
- CVE-2022-25898HIGHCVSS 7.7EG 7.7✓ Fixed in 10.5.252022-07-01
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mist…
- CVE-2024-21484HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.02024-01-22
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnera…
- CVE-2026-4600HIGHCVSS 7.4EG 7.4✓ Fixed in 11.1.12026-03-23
Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-…
- CVE-2026-4601HIGHCVSS 8.7EG 8.7✓ Fixed in 11.1.12026-03-23
Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s t…
- CVE-2026-4603MEDIUMCVSS 5.9EG 5.9✓ Fixed in 11.1.12026-03-23
Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key…
Check whether jsrsasign is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for jsrsasign CVEs against the assets you own.
Start Free Scan →