SNYK-JS-JSRSASIGN-15370940

SNYK-JS-JSRSASIGN-15370940 PUBLISHED CVSS 9.100000381469727 CRITICAL

## Overview [jsrsasign](https://www.npmjs.com/package/jsrsasign) is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in `KJUR.crypto.DSA.setPublic` (and the related DSA/X509 verification flow in `src/dsa-2.0.js`). An attacker can forge DSA signatures or X.509 certificates that `X509.verifySignature()` accepts by supplying malicious domain parameters such as `g=1`, `y=1`, and a fixed `r=1`, which make the verification equation true for any hash. ## Remediation Upgrade `jsrsasign` to version 11.1.1 or higher. ## References - [GitHub Commit](https://github.com/kjur/jsrsasign/commit/37b4c06b145c7bfd6bc2a6df5d0a12c56b15ef60) - [GitHub Gist](https://gist.github.com/Kr0emer/bf15ddc097176e951659a24a8e9002a7) - [GitHub PR](https://github.com/kjur/jsrsasign/pull/646)

Risk Scores

CVSS v3.1

9.100000381469727

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P

Affected Products

Vendor	Product	Versions
		0

Timeline

Feb 16, 2026 CVE Updated
Mar 22, 2026 CVE Published

References

Open in Interactive Console →