Platform
nodejs
Component
jsrsasign
Fixed in
11.1.1
11.1.1
CVE-2026-4602 affects versions of the jsrsasign JavaScript library released before 11.1.1. This vulnerability stems from an incorrect conversion between numeric types within the ext/jsbn2.js module, specifically related to the handling of negative exponents. Successful exploitation allows an attacker to manipulate modular inverse calculations, potentially leading to signature forgery and compromising the integrity of digitally signed data.
The core impact of CVE-2026-4602 lies in the ability for an attacker to bypass signature verification. By crafting malicious input that exploits the flawed numeric conversion, an attacker can force the jsrsasign library to compute incorrect modular inverses when performing the modPow operation with a negative exponent. This effectively allows the attacker to create a forged signature that is accepted as valid by systems relying on jsrsasign for signature verification. The blast radius is dependent on where jsrsasign is used. If it's used in a critical authentication or authorization flow, the impact could be severe, potentially granting unauthorized access to sensitive resources or systems. This vulnerability could be particularly dangerous in applications handling financial transactions, secure communications, or any scenario where digital signatures are used to ensure data integrity and authenticity.
CVE-2026-4602 was published on March 23, 2026. Severity is currently assessed as High (CVSS 7.5). There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. The vulnerability is not currently listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the near term. Refer to the NVD (National Vulnerability Database) for updates and further information.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
The primary mitigation for CVE-2026-4602 is to upgrade to version 11.1.1 or later of the jsrsasign library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective, carefully scrutinizing input parameters related to exponentiation and modular arithmetic within your application could provide a limited layer of defense. Thorough input validation, specifically checking for negative exponents and ensuring they are handled correctly, is crucial. After upgrading to version 11.1.1, confirm the fix by attempting to reproduce the vulnerability with known malicious input and verifying that signature verification fails as expected.
Actualice la versión del paquete jsrsasign a la versión 11.1.1 o superior. Esto corregirá la vulnerabilidad relacionada con el manejo incorrecto de exponentes negativos en la función modPow, evitando posibles ataques de verificación de firmas.
Vulnerability analysis and critical alerts directly to your inbox.
It's a vulnerability in jsrsasign versions before 11.1.1 that allows incorrect numeric type conversions, enabling signature forgery.
If you are using jsrsasign versions earlier than 11.1.1, you are potentially vulnerable. Check your project dependencies.
Upgrade to jsrsasign version 11.1.1 or later to resolve this vulnerability. If upgrading is not possible, implement input validation.
Currently, there are no known public exploits or active campaigns targeting CVE-2026-4602.
Refer to the National Vulnerability Database (NVD) entry for CVE-2026-4602 for detailed information and updates.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.