CVE-2026-4603

Name of the Vulnerable Software and Affected Versions jsrsasign versions prior to 11.1.1

Description The jsrsasign package contains a flaw related to division by zero. This issue stems from the RSASetPublic/KEYUTIL parsing path within the 'ext/rsa.js' file and the BigInteger.modPowInt reduction logic in 'ext/jsbn.js'. An attacker can exploit this by providing a JSON Web Key (JWK) with a modulus that decodes to zero, causing RSA public-key operations, such as verification and encryption, to produce deterministic zero outputs and conceal “invalid key” errors.

Recommendations Update jsrsasign to version 11.1.1 or later.