PT-2023-9034 · Unknown+5 · Browserify-Sign+5

Roadicing

Published

2023-10-26

Updated

2025-06-25

CVE-2023-46234

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions browserify-sign versions prior to 4.2.2

Description The issue is related to an upper bound check problem in the dsaVerify function, which allows an attacker to construct signatures that can be successfully verified by any public key. This leads to a signature forgery attack. All places in the project that involve DSA verification of user-input signatures are affected by this issue.

Recommendations To resolve the issue, update to version 4.2.2 or later. As a temporary workaround, consider disabling the dsaVerify function until a patch is available. Restrict access to areas of the project that involve DSA verification of user-input signatures to minimize the risk of exploitation. Avoid using the dsaVerify function in the affected API endpoints until the issue is resolved.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

AZL-31719

BDU:2024-03158

CVE-2023-46234

DLA-3635-1

DSA-5539-1

GHSA-X9W5-V3Q2-3RHW

MGASA-2025-0194

OPENSUSE-SU-2025:14663-1

USN-6800-1

Affected Products

Astra Linux

Confluence

Linuxmint

Red Os

Ubuntu

Browserify-Sign

PT-2023-9034 · Unknown+5 · Browserify-Sign+5

CVE-2023-46234

Weakness Enumeration

Related Identifiers

Affected Products

References · 66