CVE-2026-4603
Analyzed
Analyzed - Analysis Complete
Division by Zero in jsrsasign RSA Key Parsing Causes Verification Bypass
Vulnerability report for CVE-2026-4603, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-03-23
Last updated on: 2026-06-22
Assigner: Snyk
Description
Description
Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide βinvalid keyβ errors by supplying a JWK whose modulus decodes to zero.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kjur | jsrsasign | From 11.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-369 | The product divides a value by zero. |