@1auth/authn-webauthn (>=0.0.0-alpha.0 <=0.0.0-alpha.3), @agentic/stdlib (>=7.4.0 <=7.6.9) +786 more potentially affected by CVE-2026-4601 via jsrsasign (>=0.0.3 <=11.1.0)

jsrsasign NPM version =0.0.3, =0.0.0-alpha.0, =7.4.0, =7.4.0, =6.0.0-A.3-8242, =1.0.0-1.0.1.0, =1.0.0-1.0.1.0, =0.0.3-alpha.0, =2.0.0, =2.7.1, =6.0.0, =6.0.0, =0.1.0, =1.0.0, =5.0.0-3998.0 and more Source cves: CVE-2026-4601 Source advisory: OSV:GHSA-W8Q8-93CX-6H7R...

CVE-2026-4599

JSrsasign versions 7.0.0–11.0.x are vulnerable due to Incomplete Comparison with Missing Factors in src/crypto-1.1.js: getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax perform incorrect compareTo checks that accept out-of-range candidates, biasing DSA nonces and enabling private key r...

CVE-2026-4600

CVE-2026-4600 affects the JavaScript library jsrsasign prior to 11.1.1. The vulnerability stems from improper verification of cryptographic signatures due to DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and related DSA/X509 verification in src/dsa-2.0.js). An attacker can forge D...

jsrsasign 安全漏洞

jsrsasign is a signature verification library developed by Kenji Urushima. Versions of jsrsasign prior to 11.1.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of encryption steps in the DSA signature implementation, which could lead to the exposure of private key...

jsrsasign 安全漏洞

jsrsasign is a signature verification library developed by Kenji Urushima. Versions of jsrsasign prior to 11.1.1 contained security vulnerabilities. These vulnerabilities stemmed from improper validation of DSA domain parameters in the src/dsa-2.0.js file, which could lead to the creation of forg...

Division by zero

Overview jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key...

Incomplete Comparison with Missing Factors

Overview jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the priva...

Improper Verification of Cryptographic Signature

Overview jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic and the related DSA/X509 verification flow in src/dsa-2.0.j...

Improper Verification of Cryptographic Signature

Overview org.webjars.npm:jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic and the related DSA/X509 verification flow ...

EUVD-2024-0416

Malicious code in bioql PyPI...

CVE-2025-45764

jsrsasign v11.1.0 was discovered to contain weak encryption. NOTE: this issue has been disputed by a third party who believes that CVE IDs can be assigned for key lengths in specific applications that use a library, and should not be assigned to the default key lengths in a library. This dispute ...

@1auth/authn-webauthn (>=0.0.0-alpha.0 <=0.0.0-alpha.3), @agentic/stdlib (>=7.4.0 <=7.6.9) +743 more potentially affected by CVE-2024-21484 via jsrsasign (>=0.0.3 <=10.9.0)

jsrsasign NPM version =0.0.3, =0.0.0-alpha.0, =7.4.0, =7.4.0, =6.0.0-A.3-8242, =1.0.0-1.0.1.0, =1.0.0-1.0.1.0, =0.0.3-alpha.0, =2.0.0, =2.7.1, =6.0.0, =6.0.0, =0.1.0, =1.0.0, =5.0.0-3998.0 and more Source cves: CVE-2024-21484 Source advisory: OSV:GHSA-RH63-9QCF-83GF...

Observable Discrepancy

Overview jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerabili...

Improper Verification of Cryptographic Signature

Overview jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid ...

@ampproject/toolbox-update-cache (>=2.7.1 <=2.8.0-canary.15), @apolitical/apis-client (>=1.0.0 <=1.1.5) +32 more potentially affected by CVE-2021-30246 via jsrsasign (>=0.0.3 <=10.1.8)

jsrsasign NPM version =0.0.3, =2.7.1, =1.0.0, =1.0.0, =0.1.24, =0.2.0, =0.0.11, =1.0.1, =0.8.1, =0.1.0, =0.0.1, =0.0.4 - bitcore-litecoin =0.8.5 - bitcore-mnemonic-litecoin =1.1.1 and more Source cves: CVE-2021-30246 Source advisory: OSV:GHSA-27FJ-MC8W-J9WG...

@10yun/cv-mobile-ui (=0.3.20), @agneta/cli (>=0.14.7 <=0.14.15) +446 more potentially affected by unknown CVE via jsrsasign (>=4.8.2 <=8.0.12)

jsrsasign NPM version =4.8.2, =0.14.7, =2.0.1-alpha.0, =1.0.0, =1.0.0, =2.0.1-alpha.0, =1.0.0, =1.0.0, =1.0.17-beta.7, =1.0.0-beta.0, =1.0.0, =0.4.1, =1.0.1, =1.0.7 and more Source cves: unknown CVE Source advisory: OSV:GHSA-G753-JX37-7XWH...

@10yun/cv-mobile-ui (=0.3.20), @agneta/cli (>=0.14.7 <=0.14.15) +447 more potentially affected by CVE-2020-14966 via jsrsasign (>=4.8.2 <=8.0.18)

jsrsasign NPM version =4.8.2, =0.14.7, =2.0.1-alpha.0, =1.0.0, =1.0.0, =2.0.1-alpha.0, =1.0.0, =1.0.0, =1.0.17-beta.7, =1.0.0-beta.0, =1.0.0, =0.4.1, =1.0.1, =1.0.7 and more Source cves: CVE-2020-14966 Source advisory: OSV:GHSA-P8C3-7RJ8-Q963...

@10yun/cv-mobile-ui (=0.3.20), @1auth/authn-webauthn (>=0.0.0-alpha.0 <=0.0.0-alpha.3) +1438 more potentially affected by CVE-2020-14967 via jsrsasign (>=0.0.3 <=8.0.17)

jsrsasign NPM version =0.0.3, =0.0.0-alpha.0, =0.0.1, =7.4.0, =7.4.0, =0.14.7, =2.0.1-alpha.0, =1.0.0, =1.0.0, =2.0.1-alpha.0, =1.0.0, =1.0.0, =1.0.17-beta.7, =0.9.0, =1.0.0-alpha.0, =1.0.0-alpha.32 and more Source cves: CVE-2020-14967 Source advisory: OSV:GHSA-XXXQ-CHMP-67G4...

GHSA-XXXQ-CHMP-67G4 RSA PKCS#1 decryption vulnerability with prepending zeros in jsrsasign

Impact Jsrsasign supports RSA PKCS1 v1.5 i.e. RSAES-PKCS1-v15 and RSA-OAEP encryption and decryption. Its encrypted message is represented as BigInteger. When there is a valid encrypted message, a crafted message with prepending zeros can be decrypted by this vulnerability. - If you don't use RSA...

@10yun/cv-mobile-ui (=0.3.20), @agneta/cli (>=0.14.7 <=0.14.15) +447 more potentially affected by CVE-2020-14968 via jsrsasign (>=4.8.2 <=8.0.16)

jsrsasign NPM version =4.8.2, =0.14.7, =2.0.1-alpha.0, =1.0.0, =1.0.0, =2.0.1-alpha.0, =1.0.0, =1.0.0, =1.0.17-beta.7, =1.0.0-beta.0, =1.0.0, =0.4.1, =1.0.1, =1.0.7 and more Source cves: CVE-2020-14968 Source advisory: OSV:GHSA-Q3GH-5R98-J4H3...