CVE-2026-4602 - Vulnerability Details

- jsrsasign: jsrsasign: Signature verification bypass via negative exponent handling

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.

Published: 2026-03-23

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an incorrect conversion between numeric types in the jsrsasign library. When a negative exponent is passed to the modPow function in ext/jsbn2.js, the library computes an incorrect modular inverse, leading to a signature verification bypass. An attacker able to supply such input can forge signatures for any data validated by the library, potentially compromising code integrity or authentication mechanisms. The weakness corresponds to CWE‑681.

Affected Systems

The affected product is the jsrsasign JavaScript library, used in Node.js projects. All releases before version 11.1.1 are vulnerable. Projects that rely on jsrsasign to validate cryptographic signatures of external data are at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, but the EPSS score lower than 1 percent suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, implying no documented exploitation yet. Attackers would need the ability to influence the input data that triggers the modPow function, which typically occurs in scenarios where an application accepts untrusted signatures. Once the input is controlled, the attacker can bypass verification and potentially inject malicious content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

jsrsasign

affected

Version	Status	Constraints
`0`	affected	< 11.1.1

Configuration 1 [-]

cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Kjur

Jsrsasign

90%

Version	Status	Scheme	Platform
`[0,11.1.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade jsrsasign to version 11.1.1 or newer.
Verify that the upgrade is complete and that no older versions remain in the project dependencies.

Generated by OpenCVE AI on March 23, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8qwj-4jxw-m8jw	jsrsasign: Negative Exponent Handling Leads to Signature Verification Bypass

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00051.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://gist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5
https://github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195
https://github.com/kjur/jsrsasign/pull/650
https://nvd.nist.gov/vuln/detail/CVE-2026-4602
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371175
https://www.cve.org/CVERecord?id=CVE-2026-4602

History

Mon, 23 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jsrsasign Project Jsrsasign Project jsrsasign
CPEs		cpe:2.3:a:jsrsasign_project:jsrsasign::::::node.js::*
Vendors & Products		Jsrsasign Project Jsrsasign Project jsrsasign

Mon, 23 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		jsrsasign: jsrsasign: Signature verification bypass via negative exponent handling
References		https://nvd.nist.gov/vuln/detail/CVE-2026-4602 https://www.cve.org/CVERecord?id=CVE-2026-4602
Metrics	threat_severity `None`	threat_severity `Important`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kjur Kjur jsrsasign
Vendors & Products		Kjur Kjur jsrsasign

Mon, 23 Mar 2026 05:45:00 +0000

Type	Values Removed	Values Added
Description		Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.
Weaknesses		CWE-681
References		https://gist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5 https://github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195 https://github.com/kjur/jsrsasign/pull/650 https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371175
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Jsrsasign Project Jsrsasign

Kjur Jsrsasign

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2026-03-23T05:00:10.567Z

Updated: 2026-03-23T14:37:39.558Z

Reserved: 2026-03-22T16:26:15.167Z

Link: CVE-2026-4602

Vulnrichment

Updated: 2026-03-23T14:36:00.641Z

NVD

Status : Analyzed

Published: 2026-03-23T06:16:22.070

Modified: 2026-03-23T16:08:58.320

Link: CVE-2026-4602

Redhat

Severity : Important

Publid Date: 2026-03-23T05:00:10Z

Links: CVE-2026-4602 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-25T14:49:51Z

Weaknesses

CWE-681

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object