CVE-2026-4602
Incorrect Numeric Conversion in jsrsasign Causes Signature Bypass
Publication date: 2026-03-23
Last updated on: 2026-03-23
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jsrsasign_project | jsrsasign | to 11.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-681 | When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4602 is a vulnerability in the jsrsasign JavaScript cryptographic library, specifically in the BigInteger.modPow() function used for modular exponentiation. The issue occurs when modPow() is called with a negative exponent. Instead of correctly computing the modular inverse, the function silently returns incorrect results without any error or warning.'}, {'type': 'paragraph', 'content': "Technically, the function interprets the negative exponent's two's-complement bit representation as a large positive number or returns 1 for an exponent of -1, both mathematically incorrect. This leads to wrong modular exponentiation results."}, {'type': 'paragraph', 'content': 'This flaw can cause cryptographic signature verification to fail silently, as signatures generated using these incorrect calculations are invalid but appear structurally correct. The vulnerability does not leak key material but can cause denial of service by breaking signature verification.'}] [1, 3]
How can this vulnerability impact me? :
The vulnerability can impact you by causing cryptographic operations that rely on modular exponentiation with negative exponents to produce incorrect results silently. For example, digital signature generation or verification may fail because the modular inverse is computed incorrectly.
This leads to denial of service (DoS) scenarios where valid signatures cannot be produced or verified, disrupting authentication or data integrity processes.
No confidential information or cryptographic keys are exposed, but the availability of cryptographic services is affected due to silent failures in signature verification.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises when the `BigInteger.modPow()` function in the jsrsasign library is called with a negative exponent, resulting in incorrect modular exponentiation without any exceptions or warnings.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you should check if your environment uses jsrsasign versions up to 11.1.0, especially if your code or dependencies call `modPow()` with potentially negative exponents.'}, {'type': 'paragraph', 'content': 'There are no direct network detection commands since this is a library-level issue causing silent cryptographic failures. However, you can test for the vulnerability by running JavaScript code snippets that call `modPow()` with negative exponents and verify if the results are mathematically correct.'}, {'type': 'list_item', 'content': "Run a test script in your environment that executes `modPow()` with a negative exponent, for example: `BigInteger('2').modPow(BigInteger('-1'), BigInteger('5'))`. The correct result should be 3, but vulnerable versions return 1."}, {'type': 'list_item', 'content': 'Check your installed jsrsasign package version using npm: `npm list jsrsasign` or `npm ls jsrsasign`.'}, {'type': 'list_item', 'content': 'Search your codebase for calls to `modPow()` with negative exponents or usage patterns that might lead to such calls.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade the jsrsasign library to version 11.1.1 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, modify your code to avoid calling `modPow()` with negative exponents. Instead, use the `modInverse()` function explicitly to compute modular inverses.'}, {'type': 'paragraph', 'content': 'The fix implemented in the patched version adds a check for negative exponents and correctly computes the modular inverse before exponentiation, preventing incorrect results.'}, {'type': 'list_item', 'content': 'Upgrade jsrsasign to version 11.1.1 or later.'}, {'type': 'list_item', 'content': "Replace any calls like `modPow(new BigInteger('-1'), modulus)` with `modInverse(modulus)`."}, {'type': 'list_item', 'content': 'Run regression tests to verify that cryptographic operations involving modular exponentiation behave correctly.'}] [2, 3, 4]