Platform
nodejs
Component
jsrsasign
Fixed in
11.1.1
11.1.1
CVE-2026-4603 identifies a division by zero vulnerability affecting jsrsasign versions before 11.1.1. This flaw stems from issues in the RSASetPublic/KEYUTIL parsing path within ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. Successful exploitation can force RSA public-key operations to produce predictable zero outputs, potentially masking invalid key errors.
An attacker exploiting this vulnerability can manipulate RSA public-key operations, such as verification and encryption, to consistently yield zero results. This can be achieved by crafting a JSON Web Key (JWK) whose modulus decodes to zero. The consequence is not necessarily a direct compromise of data confidentiality or integrity, but rather the ability to obscure errors and potentially bypass security checks that rely on valid RSA key operations. This could be used to silently degrade security posture or facilitate further attacks by hiding underlying key-related problems. The impact is heightened in environments where jsrsasign is used for critical cryptographic functions.
CVE-2026-4603 was publicly disclosed on 2026-03-23. There is no indication of this vulnerability being actively exploited at the time of writing. The CVSS score is 5.9 (MEDIUM), suggesting a moderate probability of exploitation if the vulnerability is exposed. No public proof-of-concept (POC) code has been released, but the vulnerability's nature makes it relatively straightforward to reproduce.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4603 is to upgrade jsrsasign to version 11.1.1 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on JWK moduli before processing them with jsrsasign. This validation should ensure that the modulus is not zero. While not a complete solution, this can help prevent the division by zero condition. Additionally, review application logs for unusual zero-result RSA operations, which could indicate an attempted exploit. After upgrading, confirm the fix by attempting to perform RSA operations with a JWK containing a zero modulus; the operation should now result in an error instead of a zero output.
Update the jsrsasign dependency to version 11.1.1 or higher. This corrects the division by zero vulnerability. Run `npm install jsrsasign@latest` or `yarn upgrade jsrsasign` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4603 describes a division by zero vulnerability in jsrsasign versions before 11.1.1, affecting RSA public-key operations due to flawed parsing and calculations, potentially masking errors.
You are affected if you are using jsrsasign versions earlier than 11.1.1 in your Node.js applications and handling JWKs.
Upgrade jsrsasign to version 11.1.1 or later. As a temporary workaround, implement input validation to prevent zero-valued moduli from being processed.
There is currently no evidence of active exploitation of CVE-2026-4603, but the vulnerability's nature makes it potentially exploitable.
Refer to the jsrsasign project's official release notes and security advisories on their GitHub repository for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.