Platform
nodejs
Component
jsrsasign
Fixed in
11.1.1
11.1.1
CVE-2026-4599 is a critical vulnerability affecting versions 7.0.0 through 11.1.1 of the jsrsasign JavaScript library. This flaw allows an attacker to recover the private key used for DSA signatures due to an incomplete comparison within the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions. Successful exploitation could lead to unauthorized access, data breaches, and impersonation. A fix is available in version 11.1.1.
The impact of CVE-2026-4599 is severe. An attacker exploiting this vulnerability can effectively steal the private key used by applications utilizing jsrsasign for digital signatures. This stolen key can then be used to forge signatures, decrypt sensitive data, and impersonate legitimate users or systems. The potential for data breaches and unauthorized access is substantial. This vulnerability shares similarities with other cryptographic weaknesses where flawed random number generation or comparison logic leads to predictable key material, potentially enabling attackers to bypass security controls.
CVE-2026-4599 was publicly disclosed on 2026-03-23. As of this date, there are no publicly available proof-of-concept exploits. The vulnerability is listed on the NVD and is considered a high-priority issue due to its critical severity and potential for significant impact. The EPSS score is likely to be assessed as medium to high, reflecting the ease of exploitation once a suitable exploit is developed.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4599 is to immediately upgrade to jsrsasign version 11.1.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting the use of DSA signatures or employing alternative cryptographic libraries. While a direct WAF rule is unlikely to be effective, reviewing and tightening access controls to systems using jsrsasign can help limit the potential blast radius. Monitor application logs for unusual signature generation patterns that might indicate exploitation attempts.
Update the jsrsasign dependency to version 11.1.1 or higher. This corrects the incomplete comparison vulnerability that could allow private key recovery. Run `npm install jsrsasign@latest` or `yarn upgrade jsrsasign` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4599 is a critical vulnerability in jsrsasign versions 7.0.0 to 11.1.1 that allows an attacker to recover the private key used for DSA signatures due to flawed comparison logic.
If you are using jsrsasign version 7.0.0 or later, and less than 11.1.1, you are potentially affected. Immediately check your dependencies and upgrade.
Upgrade to jsrsasign version 11.1.1 or later to resolve this vulnerability. This is the recommended and most effective mitigation.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention and remediation.
Refer to the jsrsasign project's official website and GitHub repository for updates and advisories related to CVE-2026-4599.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.