Platform
nodejs
Component
jsrsasign
Fixed in
11.1.1
11.1.1
CVE-2026-4601 affects versions of the jsrsasign library prior to 11.1.1. This vulnerability allows an attacker to recover the private key used for DSA signing by exploiting a flaw in the KJUR.crypto.DSA.signWithMessageHash process. Successful exploitation could lead to unauthorized access to sensitive data and systems relying on this cryptographic library. Upgrade to version 11.1.1 to resolve this issue.
The core of this vulnerability lies in the DSA signing implementation within jsrsasign. An attacker can craft malicious input that forces the r or s values in the signature to be zero. This triggers the library to emit an invalid signature without attempting a retry. By analyzing this invalid signature, an attacker can mathematically solve for the private key x. The compromise of the private key grants the attacker the ability to impersonate legitimate users, decrypt sensitive communications, and forge digital signatures, effectively undermining the security of any application relying on jsrsasign for DSA-based cryptography. This is particularly concerning for applications handling financial transactions, authentication tokens, or any data requiring strong cryptographic protection.
CVE-2026-4601 was publicly disclosed on 2026-03-23. There is currently no indication of this vulnerability being actively exploited in the wild. The vulnerability's complexity suggests a medium probability of exploitation (EPSS score pending evaluation). No public proof-of-concept (POC) code has been released at the time of this writing, but the vulnerability's theoretical nature makes it a potential target for future exploitation.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4601 is to immediately upgrade to jsrsasign version 11.1.1 or later. This version contains a fix that prevents the private key recovery vulnerability. If upgrading is not immediately feasible due to compatibility issues or deployment constraints, consider implementing input validation on DSA signatures to reject signatures with r or s values of zero. While this is not a complete solution, it can provide a temporary layer of defense. Monitor your applications for unusual signature generation patterns that might indicate an attempted exploitation. After upgrading, verify the fix by attempting to generate a DSA signature with a manipulated r or s value; the library should now reject the signature and not emit an invalid result.
Update the jsrsasign dependency to version 11.1.1 or higher. This corrects the DSA signing vulnerability that allows private key recovery. Run `npm install jsrsasign@latest` or `yarn upgrade jsrsasign` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4601 is a HIGH severity vulnerability in jsrsasign versions before 11.1.1 that allows attackers to recover the private key used for DSA signing by manipulating signatures.
If you are using jsrsasign versions prior to 11.1.1, you are potentially affected by this vulnerability. Check your installed version immediately.
Upgrade to jsrsasign version 11.1.1 or later to resolve this vulnerability. If immediate upgrade is not possible, implement input validation on DSA signatures.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the jsrsasign project's official website and security advisories for the latest information and updates regarding CVE-2026-4601.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.