Executive Summary
A critical cryptographic vulnerability (CVE-2026-4599) has been disclosed in the widely used JavaScript cryptography library jsrsasign, affecting all versions from 7.0.0 up to (but not including) 11.1.1. The flaw stems from an Incomplete Comparison with Missing Factors in the random number generation routines used during DSA signature operations, allowing an attacker who can observe sufficient DSA signatures to recover the signer's private key.
CVSS Score: 9.1 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-4599 |
| CVSS Score | 9.1 (Critical) |
| CVSS 4.0 Score | 9.3 |
| Type | Incomplete Comparison with Missing Factors (CWE-184) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Affected Functions | getRandomBigIntegerZeroToMax, getRandomBigIntegerMinToMax |
| Affected File | src/crypto-1.1.js |
| Library | jsrsasign (npm: jsrsasign) |
| Affected Versions | 7.0.0 – 11.1.0 |
| Fixed Version | 11.1.1 |
| Published | 2026-03-23 |
Affected Products
| Package | Ecosystem | Affected Versions | Fixed Version |
|---|---|---|---|
jsrsasign | npm | 7.0.0 – 11.1.0 | 11.1.1 |
Additional impacted products (via dependency):
- Red Hat Migration Toolkit for Virtualization
- Red Hat Quay 3
Any application that uses jsrsasign for DSA signature generation in the affected version range is vulnerable.
Technical Details
Root Cause
The functions getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax in src/crypto-1.1.js perform range checks using compareTo() to ensure that randomly generated BigInteger candidates fall within specified bounds. Due to an incorrect comparison logic (missing factors in the comparison condition), candidates that fall outside the intended range are erroneously accepted.
How This Breaks DSA Security
In DSA (Digital Signature Algorithm), each signature operation requires a random per-signature value called a nonce (also called k). The security of DSA depends critically on the nonce being:
- Truly random — unpredictable to an attacker
- Strictly within bounds — the interval
[1, q-1]whereqis the DSA subgroup order
When the nonce generation accepts out-of-range values:
- The nonce distribution becomes biased — certain values appear more frequently than others
- An attacker who observes multiple DSA signatures can exploit this bias using lattice reduction techniques (e.g., the Lenstra–Lenstra–Lovász (LLL) algorithm)
- With enough biased signatures, the attacker can solve for the private key
x
Attack Chain
1. Attacker identifies a target service using jsrsasign 7.0.0–11.1.0
for DSA signing (API endpoints, JWT issuance, document signing, etc.)
2. Attacker collects multiple DSA signatures from the target service
(e.g., by submitting requests that trigger signing operations)
3. Each signature contains a nonce k that is slightly biased due to
the incorrect compareTo logic in getRandomBigIntegerZeroToMax
4. Attacker applies lattice-based cryptanalysis (LLL / BKZ) to the
collected (signature, message) pairs to exploit the nonce bias
5. After collecting sufficient signatures (number depends on bias
magnitude and DSA key size), attacker recovers private key x
6. With private key x recovered, attacker can:
- Forge arbitrary DSA signatures
- Impersonate the signing entity for any message
- Decrypt DSA-encrypted communications (in combined schemes)CVSS Score Breakdown
| Metric | Rating | Rationale |
|---|---|---|
| Attack Vector | Network | Key recovery via observed signatures over any channel |
| Attack Complexity | Low | Standard lattice attacks are well-documented and automated |
| Privileges Required | None | No authentication needed to observe public signatures |
| User Interaction | None | Passive observation of normal service output is sufficient |
| Confidentiality Impact | High | Private key exposure grants full impersonation capability |
| Integrity Impact | High | Forged signatures undermine authentication and non-repudiation |
| Availability Impact | None | No direct availability impact |
Related Vulnerabilities (Same Batch)
CVE-2026-4599 was disclosed alongside three additional jsrsasign vulnerabilities on 2026-03-23:
| CVE | Description | CVSS |
|---|---|---|
| CVE-2026-4601 | Missing Cryptographic Step in KJUR.crypto.DSA.signWithMessageHash — forces r or s to zero, emitting invalid signature without retry | 9.4 |
| CVE-2026-4598 | Infinite loop via bnModInverse when given zero/negative input; permanent process hang | 7.5 |
| CVE-2026-4603 | Division by zero via RSA/JWK parsing — deterministic zero output when modulus decodes to zero | 5.9 |
All four vulnerabilities are fixed in jsrsasign v11.1.1.
Impact Assessment
| Impact Area | Description |
|---|---|
| Private Key Recovery | Attacker recovers DSA private key via lattice cryptanalysis of biased nonces |
| Signature Forgery | With the private key, attacker can forge valid DSA signatures for any message |
| Authentication Bypass | Systems relying on DSA-signed tokens/JWTs can be completely bypassed |
| Data Integrity | Signed documents, transactions, or communications can be backdated or modified |
| Non-repudiation Failure | Legitimate parties can no longer prove they signed something; attacker can deny |
| Supply Chain Risk | Red Hat Quay and Migration Toolkit for Virtualization ship affected versions |
Recommendations
Immediate Action
# Check your current jsrsasign version
npm list jsrsasign
# Upgrade to the patched version
npm install jsrsasign@11.1.1
# Verify the upgrade
npm list jsrsasign
# Should show: jsrsasign@11.1.1Check for Transitive Dependencies
# Find all packages depending on jsrsasign
npm ls jsrsasign --all
# Or with pnpm
pnpm why jsrsasign
# Or with yarn
yarn why jsrsasignAudit Signature Operations
If you used jsrsasign for DSA signing in the vulnerable version range:
- Assume private key compromise — treat any DSA key pair used with jsrsasign 7.0.0–11.1.0 as potentially recovered
- Rotate all affected DSA key pairs — generate new keys using a trusted, patched implementation
- Revoke old certificates — if the DSA keys were certified (PKI), request revocation from your CA
- Re-issue signed artifacts — any documents, JWTs, or tokens signed with the old keys should be re-signed with new keys
- Review audit logs — check for unusual signature verification activity that may indicate exploitation
Consider Migration to ECDSA
DSA as an algorithm has been increasingly deprecated in favor of ECDSA and EdDSA (Ed25519):
// Instead of DSA signing, prefer EdDSA (Ed25519) or ECDSA (P-256)
// using the Web Crypto API or a modern library like @noble/curves
import { ed25519 } from '@noble/curves/ed25519';
// Generate key pair
const privKey = ed25519.utils.randomPrivateKey();
const pubKey = ed25519.getPublicKey(privKey);
// Sign
const msg = new Uint8Array([1, 2, 3]);
const sig = ed25519.sign(msg, privKey);
// Verify
ed25519.verify(sig, msg, pubKey); // trueDetection Indicators
| Indicator | Description |
|---|---|
| High-frequency signature requests from a single IP | Potential lattice attack data collection |
jsrsasign version < 11.1.1 in package.json or package-lock.json | Vulnerable version in use |
| DSA key pairs in use with web services | Assess whether observable signatures are produced |
| Unexpected token validation failures | Possible signature forgery attempts |
Post-Remediation Checklist
- Upgrade
jsrsasignto 11.1.1 in all projects - Update
package-lock.jsonoryarn.lockand commit - Rotate all DSA key pairs used with the vulnerable library
- Revoke and reissue any certificates or tokens signed with the old keys
- Update CI/CD pipelines and Docker images to use the patched version
- Run
npm auditto confirm no further known vulnerabilities - If running Red Hat Quay or Migration Toolkit, apply Red Hat's security errata