PT-2026-27055 · Jsrsasign · Jsrsasign
Kr0Emer
·
Published
2026-03-23
·
Updated
2026-03-31
·
CVE-2026-4599
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
jsrsasign versions 7.0.0 through 11.1.1
Description
The jsrsasign package is susceptible to an issue involving incomplete comparison with missing factors within the
getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions located in src/crypto-1.1.js. This flaw allows an attacker to potentially recover the private key by exploiting incorrect compareTo checks. These checks accept out-of-range candidates, which biases DSA nonces during signature generation.Recommendations
Versions 7.0.0 through 11.1.1 are vulnerable and should be updated.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jsrsasign