CVE-2026-4599 Overview
CVE-2026-4599 is a critical cryptographic vulnerability affecting the jsrsasign package, a popular JavaScript cryptographic library used for RSA, DSA, ECDSA, and other cryptographic operations in Node.js applications. Versions from 7.0.0 and before 11.1.1 contain an Incomplete Comparison with Missing Factors vulnerability in the random number generation functions that can allow attackers to recover private keys.
The vulnerability exists in the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions within src/crypto-1.1.js. Due to incorrect compareTo checks that accept out-of-range candidates, the random number generation becomes biased, which in turn biases DSA nonces during signature generation. This cryptographic weakness can be exploited by attackers to recover private keys through mathematical analysis of collected signatures.
Critical Impact
Attackers can exploit biased DSA nonce generation to recover private keys, compromising the entire cryptographic security of applications using affected jsrsasign versions for digital signatures.
Affected Products
- jsrsasign versions from 7.0.0 to before 11.1.1
- Node.js applications using vulnerable jsrsasign package versions
- Web applications implementing DSA signature generation with affected library versions
Discovery Timeline
- 2026-03-23 - CVE-2026-4599 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-4599
Vulnerability Analysis
This vulnerability falls under CWE-1023 (Incomplete Comparison with Missing Factors), a weakness category related to cryptographic implementation flaws. The core issue lies in how the random big integer generation functions validate generated values against acceptable ranges.
In cryptographic signature schemes like DSA, the security of the private key depends critically on the randomness of nonces used during signature generation. When the random number generator produces biased outputs due to flawed range checking, an attacker who can collect multiple signatures can apply lattice-based attacks or other cryptanalytic techniques to recover the private key.
The flawed comparison logic in the affected functions uses compareTo(biRand) != -1 to check if a randomly generated big integer falls within the acceptable range. This check incorrectly accepts values that should be rejected, introducing statistical bias into the random number distribution.
Root Cause
The root cause is an incorrect comparison operator in the random big integer generation logic. The original code used compareTo(biRand) != -1 which does not properly reject out-of-range candidates. The comparison should verify that the random value is less than or equal to the maximum allowed value, but the flawed logic allows values that exceed the intended range to pass through.
This subtle bug in the comparison logic causes the random number generator to produce a non-uniform distribution of values, violating the fundamental cryptographic requirement that nonces must be uniformly random within the valid range.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can exploit this vulnerability through the following approach:
- Signature Collection: The attacker collects multiple DSA signatures generated by the vulnerable application
- Statistical Analysis: Due to the biased nonce generation, the collected signatures leak information about the private key
- Lattice Attack: Using techniques such as the Hidden Number Problem (HNP) solver, the attacker can mathematically recover the private key from the biased signatures
- Key Compromise: With the recovered private key, the attacker can forge signatures, impersonate the victim, or decrypt communications
The following patch shows the fix applied to correct the comparison logic:
var bitLenMax = biMax.bitLength();
while (1) {
var biRand = KJUR.crypto.Util.getRandomBigIntegerOfNbits(bitLenMax);
- if (biMax.compareTo(biRand) != -1) return biRand;
+ if (biMax.compareTo(biRand) >= 0) return biRand;
}
};
Source: GitHub Commit Details
The fix changes the comparison from != -1 to >= 0, which correctly ensures that only random values within the valid range are accepted.
Detection Methods for CVE-2026-4599
Indicators of Compromise
- Applications using jsrsasign versions between 7.0.0 and 11.1.0 for DSA signature operations
- Package dependency manifests (package.json, package-lock.json) containing vulnerable jsrsasign versions
- Cryptographic operations generating DSA signatures that may have been compromised
Detection Strategies
- Run software composition analysis (SCA) tools to identify vulnerable jsrsasign package versions in your dependency tree
- Review package.json and lock files for jsrsasign versions in the affected range (>=7.0.0 and <11.1.1)
- Audit application code for usage of DSA signature generation with the jsrsasign library
- Use npm audit or yarn audit commands to detect known vulnerabilities in project dependencies
Monitoring Recommendations
- Implement continuous dependency scanning in CI/CD pipelines to detect vulnerable package versions
- Monitor for security advisories related to jsrsasign and cryptographic libraries
- Track signature generation patterns for anomalies that might indicate exploitation attempts
- Enable alerts for any attempts to downgrade cryptographic library versions
How to Mitigate CVE-2026-4599
Immediate Actions Required
- Upgrade jsrsasign to version 11.1.1 or later immediately
- Review all DSA private keys that may have been used with vulnerable versions and consider key rotation
- Audit applications to identify all instances where jsrsasign is used for cryptographic operations
- Conduct a security assessment to determine if any signatures generated with vulnerable versions may have been collected by adversaries
Patch Information
The vulnerability has been addressed in jsrsasign version 11.1.1. The fix corrects the comparison logic in the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions to properly reject out-of-range random candidates.
Upgrade to the patched version using npm:
npm update jsrsasign@11.1.1
Or update your package.json to specify the minimum safe version:
"dependencies": {
"jsrsasign": ">=11.1.1"
}
For detailed information about the fix, refer to the GitHub Pull Request Discussion and the Snyk Vulnerability Report.
Workarounds
- If immediate upgrade is not possible, avoid using DSA signature generation with vulnerable jsrsasign versions
- Consider switching to alternative cryptographic algorithms (RSA, ECDSA with secure implementations) until the upgrade can be completed
- Implement additional cryptographic validation layers using alternative libraries for critical signature operations
- Isolate applications using vulnerable versions from exposure to untrusted network traffic
# Check your installed jsrsasign version
npm list jsrsasign
# Upgrade to the patched version
npm install jsrsasign@11.1.1
# Verify the upgrade
npm list jsrsasign
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
