CVE-2026-4603 Kjur CVE debrief

Who should care

Developers and administrators using the jsrsasign package in their applications, especially those relying on RSA public-key operations for verification and encryption, should be aware of this vulnerability. Given the low severity, it is still essential to address this issue to prevent potential exploitation and ensure the integrity of cryptographic operations.

Technical summary

The vulnerability is caused by a division by zero error in the jsrsasign package. Specifically, the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js are affected. An attacker can exploit this by crafting a JWK with a modulus that decodes to zero. This causes RSA public-key operations (e.g., verify and encryption) to produce deterministic zero outputs, effectively hiding 'invalid key' errors. The vulnerability has a CVSS score of 2, indicating low severity.

Defensive priority

Low priority, but recommended to prevent potential exploitation

Recommended defensive actions

• Inventory and assess the use of jsrsasign package versions before 11.1.1
• Review and apply the patch from version 11.1.1 or later
• Monitor for and restrict suspicious JWK inputs
• Verify cryptographic operations for anomalies
• Update documentation and procedures for handling cryptographic key management

Evidence notes

The primary evidence for this vulnerability comes from the NVD and CVE records. The jsrsasign package versions before 11.1.1 are affected. The vulnerability allows attackers to cause division by zero errors through specially crafted JWK inputs. Defenders should verify the version of jsrsasign in use and review official advisories for mitigation steps.

Official resources