Skip to main content

Improper Verification of Cryptographic Signature


Severity High
Score 7.5/10


The browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on 'indutny/tls.js'. An upper bound check issue in "dsaVerify" function, allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This vulnerability affects browserify-sign package versions 2.6.0 through 4.2.1.

  • LOW
  • HIGH
  • NONE
  • NONE
  • NONE
  • NONE

CWE-347 - Improper Verification of Cryptographic Signature

A cryptographic protocol is meant to ensure that services are provided in a secure manner. An application with absent or improper verification of cryptographic signatures allows malicious users to feed false messages to valid users or to disclose sensitive data, subverting the goals of the protocol. This can lead to security failures such as false authentication, account hijacking, and privilege escalation.

Advisory Timeline

  • Published