SNYK-JS-JSRSASIGN-15370938
## Overview [jsrsasign](https://www.npmjs.com/package/jsrsasign) is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Infinite loop via the `bnModInverse` function in `ext/jsbn2.js` when the `BigInteger.modInverse` implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values (e.g., modInverse(0, m) or modInverse(-1, m)). ## Remediation Upgrade `jsrsasign` to version 11.1.1 or higher. ## References - [GitHub Commit](https://github.com/kjur/jsrsasign/commit/ca5b027240287a1e71fe63019fc4400332594323) - [GitHub Gist](https://gist.github.com/Kr0emer/a1bf5cd4547cc630d2dcc5e761de8264) - [GitHub PR](https://github.com/kjur/jsrsasign/pull/648)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Feb 18, 2026 CVE Updated
- Mar 22, 2026 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370938 advisory
- https://www.npmjs.com/package/jsrsasign vendor
- https://github.com/kjur/jsrsasign/commit/ca5b027240287a1e71fe63019fc4400332594323 patch
- https://gist.github.com/Kr0emer/a1bf5cd4547cc630d2dcc5e761de8264 technical
- https://github.com/kjur/jsrsasign/pull/648 patch