CVE-2022-25898— Improper Verification of Cryptographic Signature

CVSS 7.7 · High EPSS 1.77% · P83 Updated Feb 25, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-25898

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Improper Verification of Cryptographic Signature

Source: NVD (National Vulnerability Database)

Vulnerability Description

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake. Workaround: Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Title

jsrsasign 数据伪造问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

jsrsasign package是日本浦岛贤治个人开发者的一款开源的加密库。 jsrsasign 10.5.25之前版本存在安全漏洞，该漏洞源于当 JWS 或 JWT 签名具有非 Base64URL 编码的特殊字符或数字转义字符可能被错误地验证为有效时，容易受到加密签名的不正确验证。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
-	jsrsasign	unspecified ~ 10.5.25	-

II. Public POCs for CVE-2022-25898

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2022-25898

请登录查看更多情报信息。

https://github.com/kjur/jsrsasign/releases/tag/10.5.25x_refsource_MISC
https://github.com/kjur/jsrsasign/commit/4536a6e9e8bcf1a644ab7c07ed96e453347dae41x_refsource_MISC
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBKJUR-2935897x_refsource_MISC
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2935898x_refsource_MISC
https://snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2022-25898

Same Patch Batch · n/a · 2022-07-01 · 54 CVEs total

CVE-2022-25900	8.1 HIGH	Command Injection
CVE-2022-25876	6.2 MEDIUM	Server-side Request Forgery (SSRF)
CVE-2022-25758	5.3 MEDIUM	Regular Expression Denial of Service (ReDoS)
CVE-2022-25896	4.8 MEDIUM	Session Fixation
CVE-2022-32087		MariaDB 安全漏洞
CVE-2022-32095		Hospital Management System SQL注入漏洞
CVE-2022-32324		PDFAlto 缓冲区错误漏洞
CVE-2022-34903		GnuPG 注入漏洞
CVE-2022-32411		HongCMS 安全漏洞
CVE-2022-32088		MariaDB 安全漏洞
CVE-2022-32035		Tenda M3 缓冲区错误漏洞
CVE-2022-32086		MariaDB 安全漏洞
CVE-2022-32085		MariaDB 安全漏洞
CVE-2022-32083		MariaDB 安全漏洞
CVE-2022-32030		Tenda AX1806 缓冲区错误漏洞
CVE-2022-32031		Tenda AX1806 缓冲区错误漏洞
CVE-2022-32032		Tenda AX1806 缓冲区错误漏洞
CVE-2022-32033		Tenda AX1806 缓冲区错误漏洞
CVE-2022-32034		Tenda M3 缓冲区错误漏洞
CVE-2022-32037		Tenda M3 缓冲区错误漏洞

Showing top 20 of 54 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: jsrsasign

Same vendor: n/a

V. Comments for CVE-2022-25898

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2022-25898— Improper Verification of Cryptographic Signature

I. Basic Information for CVE-2022-25898

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2022-25898

III. Intelligence Information for CVE-2022-25898

Same Patch Batch · n/a · 2022-07-01 · 54 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2022-25898

Leave a comment