CVE-2026-4602
Description
Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
jsrsasign before 11.1.1 silently computes incorrect modular inverses when modPow is called with a negative exponent, breaking signature verification.
Vulnerability
Overview The vulnerability CVE-2026-4602 affects the jsrsasign JavaScript library (npm package) versions before 11.1.1. The root cause is an incorrect handling of negative exponents in the BigInteger.modPow() function within the jsbn.js (or ext/jsbn2.js) file. The function fails to check the sign of the exponent before performing the modular exponentiation, leading to an incorrect conversion between numeric types (CWE-682). When the exponent is negative, bitLength() returns 0 for exponent -1, causing an early return of 1 (i.e., a^0 mod m) for any base and modulus. For other negative exponents (e.g., -k), the function scans the two's-complement representation of the negative number and computes a mathematically wrong but numerically plausible result without throwing any error or warning [1][2].
Exploitation
Conditions An attacker can exploit this vulnerability by providing a negative exponent to the modPow() function. This may occur when code ported from languages like Python (where pow(base, -1, mod) is a built-in modular inverse function) is directly translated to JavaScript using jsrsasign. No authentication or special network position is required for the attacker to trigger the flaw, as the vulnerable function is exposed to any user-supplied input that ends up as the exponent argument. The attack complexity is considered high (CVSS:3.1/AV:N/AC:H) because the attacker must find a way to inject a negative exponent value into the library's operation [1][2].
Impact
The silent production of mathematically incorrect results directly undermines cryptographic signature verification. An attacker can force the computation of incorrect modular inverses, leading to a denial of service (DoS) for signature validation and potentially allowing forged signatures to be accepted erroneously. The CVSS score is 6.5 (Medium), with a partial impact on integrity (incorrect results) and high availability impact (cryptographic functionality DoS). The library's maintainer notes that all versions shipping Tom Wu's jsbn.js are affected up to 11.1.0, and as of April 14, 2026, end of support for jsrsasign has been announced, effective June 3, 2026 [3].
Mitigation
The fix is included in version 11.1.1 of jsrsasign, which adds a check for negative exponents: if the exponent is negative, the function now correctly computes the modular inverse first (this.modInverse(m).modPow(e.negate(), m)) [4]. Users should upgrade to 11.1.1 or later. For those unable to upgrade, the best workaround is to manually validate that exponents are non-negative before calling modPow().
- jsrsasign_on_negative_exponent.md
- NVD - CVE-2026-4602
- GitHub - kjur/jsrsasign: CAUTION: END OF SUPPORT ON 3 JUN 2026. The 'jsrsasign' (RSA-Sign JavaScript Library) is an opensource free cryptography library supporting RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp, CAdES and JSON Web Signature/Token in pure JavaScript.
- Merge pull request #650 from Kr0emer/fix/bug-006-modpow-negative-expo… · kjur/jsrsasign@5ea1c32
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jsrsasignnpm | < 11.1.1 | 11.1.1 |
Affected products
2- jsrsasign/jsrsasigndescription
- Range: <11.1.1
Patches
15ea1c32bb2aaMerge pull request #650 from Kr0emer/fix/bug-006-modpow-negative-exponent
2 files changed · +20 −1
ext/jsbn2.js+3 −1 modified@@ -411,6 +411,9 @@ Barrett.prototype.sqrTo = barrettSqrTo; // (public) this^e % m (HAC 14.85) function bnModPow(e,m) { + if(e.signum() < 0) { + return this.modInverse(m).modPow(e.negate(), m); + } var i = e.bitLength(), k, r = nbv(1), z; if(i <= 0) return r; else if(i < 18) k = 1; @@ -670,4 +673,3 @@ BigInteger.prototype.sqrt = function() { div = y; } } -
test/qunit-do-crypto.html+17 −0 modified@@ -465,6 +465,23 @@ equal(result, true, "SHA1withRSA(x1234) sign/verify key2prv/key2pub"); }); +test("BigInteger.modPow handles negative exponent -1", function() { + var a = new BigInteger("7", 10); + var m = new BigInteger("19", 10); + var got = a.modPow(new BigInteger("-1", 10), m); + var expected = a.modInverse(m); + equal(got.toString(10), expected.toString(10), "a^-1 mod m"); +}); + +test("BigInteger.modPow handles negative exponent -k", function() { + var a = new BigInteger("3", 10); + var m = new BigInteger("23", 10); + var e = new BigInteger("-3", 10); + var got = a.modPow(e, m); + var expected = a.modInverse(m).modPow(e.negate(), m); + equal(got.toString(10), expected.toString(10), "a^-k mod m"); +}); + }); --> </script>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8qwj-4jxw-m8jwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4602ghsaADVISORY
- gist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5ghsaWEB
- github.com/kjur/jsrsasign/commit/5ea1c32bb2aa894b4bd29849839afe4f98728195ghsaWEB
- github.com/kjur/jsrsasign/pull/650ghsaWEB
- security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371175ghsaWEB
News mentions
0No linked articles in our index yet.