Fluid Attacks Database

Description

jsrsasign is vulnerable to DoS through Infinite Loop when processing zero or negative inputs Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values (e.g., modInverse(0, m) or modInverse(-1, m)).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	jsrsasign	>=0 <11.1.1	11.1.1

Aliases

1. CVE-2026-45982. NVD-2026-45983. OSV-2026-45984. GCVE-2026-4598

References

1. https://github.com/kjur/jsrsasign/pull/6482. https://github.com/kjur/jsrsasign/commit/ca5b027240287a1e71fe63019fc44003325943233. https://gist.github.com/Kr0emer/a1bf5cd4547cc630d2dcc5e761de8264

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.