SNYK-JS-JSRSASIGN-15370940
## Overview [jsrsasign](https://www.npmjs.com/package/jsrsasign) is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in `KJUR.crypto.DSA.setPublic` (and the related DSA/X509 verification flow in `src/dsa-2.0.js`). An attacker can forge DSA signatures or X.509 certificates that `X509.verifySignature()` accepts by supplying malicious domain parameters such as `g=1`, `y=1`, and a fixed `r=1`, which make the verification equation true for any hash. ## Remediation Upgrade `jsrsasign` to version 11.1.1 or higher. ## References - [GitHub Commit](https://github.com/kjur/jsrsasign/commit/37b4c06b145c7bfd6bc2a6df5d0a12c56b15ef60) - [GitHub Gist](https://gist.github.com/Kr0emer/bf15ddc097176e951659a24a8e9002a7) - [GitHub PR](https://github.com/kjur/jsrsasign/pull/646)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Feb 16, 2026 CVE Updated
- Mar 22, 2026 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370940 advisory
- https://www.npmjs.com/package/jsrsasign vendor
- https://github.com/kjur/jsrsasign/commit/37b4c06b145c7bfd6bc2a6df5d0a12c56b15ef60 patch
- https://gist.github.com/Kr0emer/bf15ddc097176e951659a24a8e9002a7 technical
- https://github.com/kjur/jsrsasign/pull/646 patch