CVE-2021-30246: 
JavaScript 5FOqC0

CVE-2021-30246 affects the jsrsasign package through version 10.1.13 for Node.js, where some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized as valid. The vulnerability was discovered and disclosed on April 7, 2021. While there is no known practical attack reported, this issue impacts the cryptographic signature verification functionality of the package (NVD).

The vulnerability stems from leniency in parsing the prefix of PKCS#1 structure. The implementation incorrectly handles the initial 0x00 bytes and uses an incorrect regex pattern matching to peel off the prefix from the ASN.1 structure. The issue occurs in the RSAKey.prototype.verify function where the implementation ignores initial 0x00 bytes during octet strings to integer conversion and uses an inadequate regex pattern that only checks for the initial string '1f+00' (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 base score of 9.1 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability affects the cryptographic signature verification process, potentially allowing invalid signatures to be accepted as valid. While there is no known practical attack, this could theoretically compromise the security of systems relying on the package for signature verification. The main impact is on the integrity of the signature verification process (NVD).

Users should upgrade to versions newer than 10.1.13 of the jsrsasign package. The issue was identified and reported in the project's issue tracker, leading to subsequent fixes (GitHub Issue).