SNYK-JS-JSRSASIGN-15370941

SNYK-JS-JSRSASIGN-15370941 PUBLISHED CVSS 9.399999618530273 CRITICAL

## Overview [jsrsasign](https://www.npmjs.com/package/jsrsasign) is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Missing Cryptographic Step via the `KJUR.crypto.DSA.signWithMessageHash` process in the DSA signing implementation. An attacker can recover the private key by forcing `r` or `s` to be zero, so the library emits an invalid signature without retrying, and then solves for `x` from the resulting signature. ## Remediation Upgrade `jsrsasign` to version 11.1.1 or higher. ## References - [GitHub Commit](https://github.com/kjur/jsrsasign/commit/0710e392ec35de697ce11e4219c988ba2b5fe0eb) - [GitHub Gist](https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586) - [GitHub PR](https://github.com/kjur/jsrsasign/pull/645)

Risk Scores

CVSS v3.1

9.399999618530273

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N/E:P

Affected Products

Vendor	Product	Versions
		0

Timeline

Feb 16, 2026 CVE Updated
Mar 22, 2026 CVE Published

References

Open in Interactive Console →