VDB
SNYK-JS-JSRSASIGN-15371175
SNYK-JS-JSRSASIGN-15371175
PUBLISHED
CVSS 8.699999809265137 HIGH
## Overview [jsrsasign](https://www.npmjs.com/package/jsrsasign) is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in `ext/jsbn2.js`. An attacker can force the computation of incorrect modular inverses and break signature verification by calling `modPow` with a negative exponent. ## Remediation Upgrade `jsrsasign` to version 11.1.1 or higher. ## References - [GitHub Commit](https://github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195) - [GitHub Gist](https://gist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5) - [GitHub PR](https://github.com/kjur/jsrsasign/pull/650)
Risk Scores
CVSS 3.1
8.699999809265137
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Exploit Intelligence
- ghost_report_20260112_192608.json (github-poc)
- ghost_report_20260112_175243.json (github-poc)
- ghost_report_20260112_182220.json (github-poc)
Timeline
- Feb 21, 2026 CVE Updated
- Mar 22, 2026 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371175 advisory
- https://www.npmjs.com/package/jsrsasign vendor
- https://github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195 patch
- https://gist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5 technical
- https://github.com/kjur/jsrsasign/pull/650 patch