Search for packages
| purl | pkg:npm/jsrsasign@9.1.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1va4-6h3w-h7an
Aliases: CVE-2022-25898 GHSA-3fvg-4v2m-98jf GMS-2022-2707 |
JWS and JWT signature validation vulnerability with special characters ### Impact Jsrsasign supports JWS(JSON Web Signatures) and JWT(JSON Web Token) validation. However JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. For example, even if a string of non Base64URL encoding characters such as `!@$%` or `\11` is inserted into a valid JWS or JWT signature value string, it will still be a valid JWS or JWT signature by mistake. When jsrsasign's JWS or JWT validation is used in OpenID connect or OAuth2, this vulnerability will affect to authentication or authorization. By our internal assessment, CVSS 3.1 score will be 8.6. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N ### Patches Users validate JWS or JWT signatures should upgrade to 10.5.25. ### Workarounds Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method. ### ACKNOWLEDGEMENT Thanks to Adi Malyanker and Or David for this vulnerability report. Also thanks for [Snyk security team](https://snyk.io/) for this coordination. ### References https://github.com/kjur/jsrsasign/releases/tag/10.5.25 https://github.com/kjur/jsrsasign/security/advisories/GHSA-3fvg-4v2m-98jf kjur's advisories https://github.com/advisories/GHSA-3fvg-4v2m-98jf github advisories https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25898 https://kjur.github.io/jsrsasign/api/symbols/KJUR.jws.JWS.html#.verifyJWT https://kjur.github.io/jsrsasign/api/symbols/KJUR.jws.JWS.html#.verify https://kjur.github.io/jsrsasign/api/symbols/global__.html#.isBase64URLDot https://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWS-verification https://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWT-verification https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122 |
Affected by 7 other vulnerabilities. |
|
VCID-3c19-m13f-vbf1
Aliases: CVE-2021-30246 GHSA-27fj-mc8w-j9wg |
Improper Verification of Cryptographic Signature In the jsrsasign package for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. NOTE: there is no known practical attack. |
Affected by 8 other vulnerabilities. |
|
VCID-ax2w-kcpr-rffk
Aliases: CVE-2026-4599 GHSA-5jx8-q4cp-rhh6 |
jsrsasign: jsrsasign: Private key recovery via incomplete comparison checks biasing DSA nonces |
Affected by 0 other vulnerabilities. |
|
VCID-b7u7-uwdr-vbgs
Aliases: CVE-2026-4601 GHSA-w8q8-93cx-6h7r |
jsrsasign: jsrsasign: Private Key Recovery via Missing Cryptographic Step in DSA Signing |
Affected by 0 other vulnerabilities. |
|
VCID-bgv2-wbuc-wqcj
Aliases: CVE-2026-4603 GHSA-464q-cqxq-xhgr |
jsrsasign: jsrsasign: Cryptographic operations impacted by division by zero via malicious JSON Web Key |
Affected by 0 other vulnerabilities. |
|
VCID-q2dz-12f5-zbgg
Aliases: CVE-2026-4602 GHSA-8qwj-4jxw-m8jw |
jsrsasign: jsrsasign: Signature verification bypass via negative exponent handling |
Affected by 0 other vulnerabilities. |
|
VCID-qayx-46yz-d3b8
Aliases: CVE-2026-4598 GHSA-8g7p-jf3g-gxcp |
jsrsasign: jsrsasign: Denial of Service via infinite loop in bnModInverse function with crafted inputs |
Affected by 0 other vulnerabilities. |
|
VCID-r434-j4qg-r3bx
Aliases: CVE-2024-21484 GHSA-rh63-9qcf-83gf GMS-2024-46 |
Marvin Attack of RSA and RSAOAEP decryption in jsrsasign ### Impact RSA PKCS#1.5 or RSAOAEP ciphertexts may be decrypted by this Marvin attack vulnerability. ### Patches update to jsrsasign 11.0.0. ### Workarounds Find and replace RSA and RSAOAEP decryption with other crypto library. ### References https://people.redhat.com/~hkario/marvin/ https://github.com/kjur/jsrsasign/issues/598 |
Affected by 6 other vulnerabilities. |
|
VCID-sm4v-ac3f-6yha
Aliases: CVE-2026-4600 GHSA-wvqx-v3f6-w8rh |
jsrsasign: jsrsasign: Cryptographic signature forgery via malicious DSA domain parameters |
Affected by 0 other vulnerabilities. |
|
VCID-tqjx-apth-9qh1
Aliases: GHSA-h87q-g2wp-47pj GMS-2022-64 |
Signatures are mistakenly recognized to be valid in jsrsasign In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. NOTE: there is no known practical attack. |
Affected by 8 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||