Medium severity5.9NVD Advisory· Published Mar 23, 2026· Updated Apr 29, 2026

CVE-2026-4603

Description

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
jsrsasignnpm	< 11.1.1	11.1.1

Affected products

Jsrsasign Project/Jsrsasign
cpe:2.3:a:jsrsasign_project:jsrsasign:*:*:*:*:*:node.js:*:*
Range: <11.1.1

Patches

dc41d49fac42

Merge pull request #649 from Kr0emer/fix/bug-005-rsa-zero-modulus

https://github.com/kjur/jsrsasignKenji UrushimaFeb 20, 2026via ghsa

commit

3 files changed · +35 −2

ext/jsbn.js+1 −1 modified

@@ -354,7 +354,7 @@ function bnpSquareTo(r) {
 // r != q, this != m.  q or r may be null.
 function bnpDivRemTo(m,q,r) {
   var pm = m.abs();
-  if(pm.t <= 0) return;
+  if(pm.t <= 0) throw "BigInteger divide by zero";
   var pt = this.abs();
   if(pt.t < pm.t) {
     if(q != null) q.fromInt(0);

ext/rsa.js+9 −0 modified

@@ -167,6 +167,15 @@ function RSASetPublic(N, E) {
     } else {
 	throw "Invalid RSA public key";
     }
+
+    if (this.n == null ||
+	typeof this.n.compareTo !== "function" ||
+	this.n.compareTo(BigInteger.ONE) <= 0 ||
+	this.e == null ||
+	isNaN(this.e) ||
+	this.e <= 0) {
+	throw "Invalid RSA public key";
+    }
 }
 
 // Perform raw public operation on "x": return x^e (mod n)

test/qunit-do-crypto.html+25 −1 modified

@@ -232,6 +232,31 @@
   equal(n, 100, "100 times success:" + n0 + ":" + n1 + ":" + n2 + ":" + n3);
 });
 
+test("RSASetPublic rejects zero modulus", function() {
+  throws(function() {
+    var pub = new RSAKey();
+    pub.setPublic("00", "10001");
+  },
+  "Invalid RSA public key",
+  "reject zero modulus");
+});
+
+test("KEYUTIL.getKey rejects JWK with zero modulus", function() {
+  throws(function() {
+    KEYUTIL.getKey({kty: "RSA", n: "AA", e: "AQAB"});
+  },
+  "Invalid RSA public key",
+  "reject JWK n=0");
+});
+
+test("BigInteger.modPowInt throws when modulus is zero", function() {
+  throws(function() {
+    new BigInteger("deadbeef", 16).modPowInt(65537, BigInteger.ZERO);
+  },
+  "BigInteger divide by zero",
+  "reject mod(0)");
+});
+
 test("MessageDigest test", function() {
   expect(10);
   var md1 = new KJUR.crypto.MessageDigest({"alg": "sha1", "prov": "cryptojs"});
@@ -419,4 +444,3 @@ <h2 id="qunit-userAgent"></h2>
 </p>
 </body>
 </html>
-

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/kjur/jsrsasign/commit/dc41d49fac4297e7a737a3ef8ebd0aa9c49ef93fnvdPatchWEB
gist.github.com/Kr0emer/5366b7364c4fbf7e754bc377f321e9f3nvdExploitMitigationThird Party AdvisoryWEB
github.com/advisories/GHSA-464q-cqxq-xhgrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-4603ghsaADVISORY
security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371176nvdThird Party AdvisoryWEB
github.com/kjur/jsrsasign/pull/649nvdIssue TrackingWEB

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000