Preface: Software and platforms known to use jsrsasign include CustomJS, ServieNow, Postman, jwt.io, the BitcoinJS library, OpenPGP.js, Google Apps Script, and add-on utilities.
Background: Jsrsasign (RSA-Sign JavaScript Library) is a pure JavaScript cryptographic library designed to handle RSA, ECDSA, and DSA operations, including key generation, digital signature creation/verification, and encryption. It provides the mathematical and structural setup for parsing keys (PKCS#1/5/8) and managing signatures.
Objectives of Specific Code Paths
ext/rsa[.]js(RSASetPublic/KEYUTIL parsing path):- Objective: This path is responsible for initializing an RSA public key by parsing raw data (like a modulus n and exponent e).
- Function: It takes external key formats—such as JSON Web Keys (JWK) or PEM-encoded strings—and converts them into a internal format that the library can use for cryptographic math.
ext/jsbn[.]js(BigInteger.modPowInt reduction logic):- Objective: This logic performs modular exponentiation (m to power e), which is the core mathematical operation of RSA.
- Function: It uses an optimized algorithm (often a sliding window or Montgomery representation) to calculate high-power results efficiently on large numbers that standard JavaScript cannot handle.
Vulnerability details: Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.
Official announcement: Please refer to the link for details –