CVE-2021-30246

Vulnerability

The jsrsasign package for Node.js (versions up to and including 10.1.13) contains a flaw in its RSA PKCS#1 v1.5 signature verification logic. The RSAKey.prototype.verify function in jsrsasign.js uses an incorrect regex pattern (/^1f+00/) to strip the prefix from the PKCS#1 encoded message, and ignores leading 0x00 bytes when converting the signature to an integer. This leniency causes some invalid signatures to be mistakenly accepted as valid [2].

Exploitation

An attacker would need to craft a specially malformed RSA PKCS#1 v1.5 signature that, due to the flawed parsing, passes verification. According to the advisory, the bug arises because leading 0x00 bytes are ignored during octet-to-integer conversion, and the regex pattern does not properly enforce the required block type byte (0x01) and padding length (at least 8 bytes of 0xFF) [2]. The note indicates no known practical attack exists [1].

Impact

Successful exploitation could lead to acceptance of forged RSA signatures, undermining the integrity of any system relying on jsrsasign for signature verification. This could allow an attacker to bypass authentication or tamper with signed data without possessing the corresponding private key [1][2].

Mitigation

A fixed version has not been explicitly mentioned in the available references; the project maintainers noted in 2026 that the library would reach end-of-support soon [3]. Users should update to a later version if available (e.g., check for releases after 10.1.13) or consider migrating to an alternative cryptographic library. No workaround is provided in the references.