Platform
nodejs
Component
jsrsasign
Fixed in
11.1.1
11.1.1
CVE-2026-4600 is a vulnerability affecting versions of the jsrsasign JavaScript library released before 11.1.1. This flaw allows attackers to forge Digital Signature Algorithm (DSA) signatures or X.509 certificates due to improper validation of domain parameters. Successful exploitation could lead to unauthorized actions and potential compromise of systems relying on jsrsasign for cryptographic operations. The vulnerability was published on 2026-03-23, and a fix is available in version 11.1.1.
The core of this vulnerability lies in the KJUR.crypto.DSA.setPublic function and related DSA/X509 verification flows within src/dsa-2.0.js. The validation of domain parameters (g, y, and r) is insufficient, allowing an attacker to craft malicious parameters (e.g., g=1, y=1, r=1) that satisfy the verification equation regardless of the underlying hash. This effectively bypasses the signature verification process. An attacker could leverage this to forge digital signatures, potentially impersonating legitimate entities or injecting malicious code into applications that rely on jsrsasign for authentication or integrity checks. The impact is particularly severe in applications using jsrsasign for secure communication or data validation, as it could lead to complete compromise of the system’s trust model. This vulnerability shares similarities with other cryptographic signature forgery vulnerabilities where inadequate parameter validation is exploited.
CVE-2026-4600 is not currently listed on the CISA KEV catalog. The EPSS score is pending evaluation. Public proof-of-concept (PoC) code is not yet publicly available, but the vulnerability's nature suggests that it is likely to be exploited once a PoC is developed. The vulnerability was disclosed on 2026-03-23.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4600 is to upgrade to jsrsasign version 11.1.1 or later, which includes the necessary fixes for domain parameter validation. If upgrading immediately is not feasible, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective due to the nature of the cryptographic flaw, strict input validation on any data processed by jsrsasign can help reduce the attack surface. Carefully review all code that utilizes KJUR.crypto.DSA.setPublic and ensure that domain parameters are obtained from trusted sources and thoroughly validated before use. Monitor application logs for any unusual signature verification errors or attempts to use suspicious domain parameters. After upgrading, confirm the fix by attempting to generate and verify signatures with known malicious domain parameters – they should be rejected.
Update the jsrsasign dependency to version 11.1.1 or higher. This corrects the improper cryptographic signature verification vulnerability. Run `npm install jsrsasign@latest` or `yarn upgrade jsrsasign` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4600 is a vulnerability in jsrsasign versions before 11.1.1 that allows attackers to forge DSA signatures due to improper domain parameter validation, potentially leading to unauthorized actions.
You are affected if your application uses jsrsasign versions prior to 11.1.1. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade to jsrsasign version 11.1.1 or later to remediate the vulnerability. If immediate upgrade is not possible, implement temporary workarounds like strict input validation.
While no active exploitation has been confirmed, the vulnerability's nature suggests it is likely to be exploited once a proof-of-concept is developed.
Refer to the jsrsasign project's official website or security advisories for the latest information and updates regarding CVE-2026-4600.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.