CVE-2026-4603 - Vulnerability Details

- jsrsasign: jsrsasign: Cryptographic operations impacted by division by zero via malicious JSON Web Key

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.

Published: 2026-03-23

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from a division by zero error in the RSASetPublic parsing logic and BigInteger.modPowInt reduction used by jsrsasign. An attacker who supplies a JSON Web Key whose modulus decodes to zero can force RSA public‑key operations, such as signature verification and encryption, to produce zero results. The error handling also suppresses the expected “invalid key” message, making detection difficult. This flaw can enable an adversary to bypass cryptographic checks that rely on public‑key verification or to corrupt encrypted data without detection.

Affected Systems

The issue affects the JavaScript library jsrsasign provided by the jsrsasign project, for use in Node.js environments. All package versions released before 11.1.1 are vulnerable; upgrading to 11.1.1 or a later release removes the flaw.

Risk and Exploitability

The vulnerability has a CVSS score of 5.1, indicating medium severity, and an EPSS score of less than 1 %, suggesting low likelihood of exploitation in the near term. It is not listed in the CISA KEV catalog. Exploitation requires an attacker to control the JSON Web Key input supplied to the library, which is typically possible in applications that parse or process JWK data from external sources. No publicly disclosed exploits have been reported, but the deterministic zero output could be leveraged to subvert authentication or data integrity checks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

jsrsasign

affected

Version	Status	Constraints
`0`	affected	< 11.1.1

Configuration 1 [-]

cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Kjur

Jsrsasign

80%

Version	Status	Scheme	Platform
`[0,11.1.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the jsrsasign library to version 11.1.1 or later in all affected codebases;

Generated by OpenCVE AI on March 23, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-464q-cqxq-xhgr	jsrsasign: Division by Zero Allows Invalid JWK Modulus to Cause Deterministic Zero Output in RSA Operations

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://gist.github.com/Kr0emer/5366b7364c4fbf7e754bc377f321e9f3
https://github.com/kjur/jsrsasign/commit/dc41d49fac4297e7a737a3ef8ebd0aa9c49ef93f
https://github.com/kjur/jsrsasign/pull/649
https://nvd.nist.gov/vuln/detail/CVE-2026-4603
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371176
https://www.cve.org/CVERecord?id=CVE-2026-4603

History

Mon, 23 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jsrsasign Project Jsrsasign Project jsrsasign
CPEs		cpe:2.3:a:jsrsasign_project:jsrsasign::::::node.js::*
Vendors & Products		Jsrsasign Project Jsrsasign Project jsrsasign

Mon, 23 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		jsrsasign: jsrsasign: Cryptographic operations impacted by division by zero via malicious JSON Web Key
References		https://nvd.nist.gov/vuln/detail/CVE-2026-4603 https://www.cve.org/CVERecord?id=CVE-2026-4603
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kjur Kjur jsrsasign
Vendors & Products		Kjur Kjur jsrsasign

Mon, 23 Mar 2026 05:45:00 +0000

Type	Values Removed	Values Added
Description		Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.
Weaknesses		CWE-369
References		https://gist.github.com/Kr0emer/5366b7364c4fbf7e754bc377f321e9f3 https://github.com/kjur/jsrsasign/commit/dc41d49fac4297e7a737a3ef8ebd0aa9c49ef93f https://github.com/kjur/jsrsasign/pull/649 https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371176
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Jsrsasign Project Jsrsasign

Kjur Jsrsasign

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2026-03-23T05:00:14.060Z

Updated: 2026-03-23T14:42:16.345Z

Reserved: 2026-03-22T16:26:19.818Z

Link: CVE-2026-4603

Vulnrichment

Updated: 2026-03-23T14:42:13.779Z

NVD

Status : Analyzed

Published: 2026-03-23T06:16:22.233

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-4603

Redhat

Severity : Moderate

Publid Date: 2026-03-23T05:00:14Z

Links: CVE-2026-4603 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-25T14:49:47Z

Weaknesses

CWE-369

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object