CVE-2022-25898
HIGHjsrsasign 4.8.0-10.5.24 - Improper Verification of Cryptographic Signature
Title source: llmDescription
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.
References (6)
Core 6
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2935896
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-2935897
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2935898
Patch, Third Party Advisory x_refsource_misc
https://github.com/kjur/jsrsasign/commit/4536a6e9e8bcf1a644ab7c07ed96e453347dae41
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/kjur/jsrsasign/releases/tag/10.5.25
Scores
CVSS v3
7.7
EPSS
0.0177
EPSS Percentile
82.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H
Details
CWE
CWE-347
Status
published
Products (2)
jsrsasign_project/jsrsasign
4.8.0 - 10.5.25
npm/jsrsasign
4.8.0 - 10.5.25npm
Published
Jul 01, 2022
Tracked Since
Feb 18, 2026