jsrsasign 8.0.20 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the jsrsasign package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Division by zero jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Division by zero due to the `RSASetPublic/KEYUTIL` parsing path in `ext/rsa.js` and the `BigInteger.modPowInt` reduction logic in `ext/jsbn.js`. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero. How to fix Division by zero? Upgrade `jsrsasign` to version 11.1.1 or higher.	<11.1.1
H Incorrect Conversion between Numeric Types jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in `ext/jsbn2.js`. An attacker can force the computation of incorrect modular inverses and break signature verification by calling `modPow` with a negative exponent. How to fix Incorrect Conversion between Numeric Types? Upgrade `jsrsasign` to version 11.1.1 or higher.	<11.1.1
C Missing Cryptographic Step jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Missing Cryptographic Step via the `KJUR.crypto.DSA.signWithMessageHash` process in the DSA signing implementation. An attacker can recover the private key by forcing `r` or `s` to be zero, so the library emits an invalid signature without retrying, and then solves for `x` from the resulting signature. How to fix Missing Cryptographic Step? Upgrade `jsrsasign` to version 11.1.1 or higher.	<11.1.1
C Improper Verification of Cryptographic Signature jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in `KJUR.crypto.DSA.setPublic` (and the related DSA/X509 verification flow in `src/dsa-2.0.js`). An attacker can forge DSA signatures or X.509 certificates that `X509.verifySignature()` accepts by supplying malicious domain parameters such as `g=1`, `y=1`, and a fixed `r=1`, which make the verification equation true for any hash. How to fix Improper Verification of Cryptographic Signature? Upgrade `jsrsasign` to version 11.1.1 or higher.	<11.1.1
C Incomplete Comparison with Missing Factors jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Incomplete Comparison with Missing Factors via the `getRandomBigIntegerZeroToMax` and `getRandomBigIntegerMinToMax` functions in `src/crypto-1.1.js`; an attacker can recover the private key by exploiting the incorrect `compareTo` checks that accept out-of-range candidates and thus bias DSA nonces during signature generation. How to fix Incomplete Comparison with Missing Factors? Upgrade `jsrsasign` to version 11.1.1 or higher.	>=7.0.0 <11.1.1
H Infinite loop jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Infinite loop via the `bnModInverse` function in `ext/jsbn2.js` when the `BigInteger.modInverse` implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values (e.g., modInverse(0, m) or modInverse(-1, m)). How to fix Infinite loop? Upgrade `jsrsasign` to version 11.1.1 or higher.	<11.1.1
H Observable Discrepancy jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Observable Discrepancy via the RSA PKCS#1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. How to fix Observable Discrepancy? Upgrade `jsrsasign` to version 11.0.0 or higher.	<11.0.0
H Improper Verification of Cryptographic Signature jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when `JWS` or `JWT` signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. How to fix Improper Verification of Cryptographic Signature? Upgrade `jsrsasign` to version 10.5.25 or higher.	<10.5.25
M Cryptographic Weakness jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Cryptographic Weakness. Invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. How to fix Cryptographic Weakness? Upgrade `jsrsasign` to version 10.1.13 or higher.	<10.1.13

Vulnerability

Vulnerable Version

Division by zero