CVE-2020-14968
9.8 CRITICALAn issue was discovered in the jsrsasign package before 8.0.17 for Node.js
Published: 2020-06-22 · Last updated: 2026-06-22
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-119
Affected products
| Vendor | Product |
|---|---|
| kjur | jsrsasign, max_data |
| netapp | jsrsasign, max_data |
Description
An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending '\0' bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption issues.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2020-14968
- [Exploit reference]https://github.com/kjur/jsrsasign/issues/438
- [Other]https://github.com/kjur/jsrsasign/releases/tag/8.0.17
- [Other]https://github.com/kjur/jsrsasign/releases/tag/8.0.18
- [Other]https://kjur.github.io/jsrsasign/
- [Other]https://security.netapp.com/advisory/ntap-20200724-0001/
- [Other]https://www.npmjs.com/package/jsrsasign
- [Exploit reference]https://github.com/kjur/jsrsasign/issues/438
- [Other]https://github.com/kjur/jsrsasign/releases/tag/8.0.17
- [Other]https://github.com/kjur/jsrsasign/releases/tag/8.0.18
- [Other]https://kjur.github.io/jsrsasign/
- [Other]https://security.netapp.com/advisory/ntap-20200724-0001/
- [Other]https://www.npmjs.com/package/jsrsasign
Related CVEs
Same vendor
- CVE-2025-22134 — When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because... (4.2 MEDIUM)
- CVE-2024-21262 — Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/ODBC) (6.5 MEDIUM)
- CVE-2024-43374 — The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling (4.5 MEDIUM)
- CVE-2023-21968 — Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries) (3.7 LOW)
- CVE-2023-28531 — ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints (9.8 CRITICAL)
Same CWE
- CVE-2026-12330 — Incorrect boundary conditions in the Internationalization component (5.4 MEDIUM)
- CVE-2026-12329 — Memory safety bug fixed in Thunderbird ESR 140.12 (5.3 MEDIUM)
- CVE-2026-12327 — Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151 (7.3 HIGH)
- CVE-2026-12326 — Memory safety bugs present in Firefox 151 and Thunderbird 151 (7.3 HIGH)
- CVE-2026-12318 — Incorrect boundary conditions in the Libraries component in NSS (7.3 HIGH)