CVE-2026-4603

MEDIUM

jsrsasign <11.1.1 - Division by Zero

Title source: llm

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.

References (4)

https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371176

https://gist.github.com/Kr0emer/5366b7364c4fbf7e754bc377f321e9f3

https://github.com/kjur/jsrsasign/commit/dc41d49fac4297e7a737a3ef8ebd0aa9c49ef93f

View Patch ZIP pw:eip

https://github.com/kjur/jsrsasign/pull/649

Scores

CVSS v3 5.9

EPSS 0.0001

EPSS Percentile 1.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-369

Status published

Products (3)

jsrsasign_project/jsrsasign < 11.1.1

n/a/jsrsasign < 11.1.1

npm/jsrsasign 0 - 11.1.1npm

Published Mar 23, 2026

Tracked Since Mar 23, 2026