CVE-2026-4600 Kjur CVE debrief

Who should care

Developers and security teams using the jsrsasign package, especially those relying on DSA for cryptographic operations, should prioritize updating to version 11.1.1 or later. Organizations that utilize jsrsasign for digital signatures or certificate verification are at risk and need to assess their exposure and take appropriate action.

Technical summary

The vulnerability is caused by improper verification of cryptographic signatures in the jsrsasign package. Specifically, the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic and related DSA/X509 verification flows in src/dsa-2.0.js are flawed. An attacker can forge DSA signatures or X.509 certificates by providing malicious domain parameters, such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash. This affects all versions before 11.1.1 of jsrsasign.

Defensive priority

High priority due to potential for signature forgery and certificate impersonation.

Recommended defensive actions

• Update jsrsasign to version 11.1.1 or later.
• Review and validate DSA usage in your applications.
• Implement additional verification checks for cryptographic signatures.
• Monitor for suspicious signature verification activities.
• Consider alternative cryptographic algorithms if possible.

Evidence notes

The primary evidence for this vulnerability comes from the NVD and CVE records. The vulnerability affects jsrsasign versions before 11.1.1. The issue involves DSA domain-parameter validation and the potential for forging signatures or certificates. Defenders should verify their use of jsrsasign, check their current version, and review DSA usage in their applications.

Official resources