SNYK-JS-JSRSASIGN-15370941
## Overview [jsrsasign](https://www.npmjs.com/package/jsrsasign) is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Missing Cryptographic Step via the `KJUR.crypto.DSA.signWithMessageHash` process in the DSA signing implementation. An attacker can recover the private key by forcing `r` or `s` to be zero, so the library emits an invalid signature without retrying, and then solves for `x` from the resulting signature. ## Remediation Upgrade `jsrsasign` to version 11.1.1 or higher. ## References - [GitHub Commit](https://github.com/kjur/jsrsasign/commit/0710e392ec35de697ce11e4219c988ba2b5fe0eb) - [GitHub Gist](https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586) - [GitHub PR](https://github.com/kjur/jsrsasign/pull/645)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Feb 16, 2026 CVE Updated
- Mar 22, 2026 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370941 advisory
- https://www.npmjs.com/package/jsrsasign vendor
- https://github.com/kjur/jsrsasign/commit/0710e392ec35de697ce11e4219c988ba2b5fe0eb patch
- https://gist.github.com/Kr0emer/93789fe6efe5519db9692d4ad1dad586 technical
- https://github.com/kjur/jsrsasign/pull/645 patch