CVE-2025-45764 identifies a vulnerability in version 11.1.0 of the jsrsasign project, a widely used JavaScript library for cryptographic signing and verification. The vulnerability is categorized under CWE-326, which relates to inadequate encryption strength. Specifically, the issue concerns the use of weak encryption parameters or key lengths within the library's default cryptographic implementations. This could potentially allow attackers to compromise the integrity of cryptographic operations, such as digital signatures, by exploiting weaker-than-expected encryption strength. However, the vulnerability's existence and scope have been disputed by a third party, who argues that CVE assignments should be tied to specific applications using the library with weak key lengths rather than the library's default key lengths themselves. The CVSS v3.1 base score is 3.2 (low severity), reflecting that exploitation requires local access (AV:L), high attack complexity (AC:H), no privileges (PR:N), and no user interaction (UI:N). The impact is limited to integrity loss without affecting confidentiality or availability, and the scope is changed (S:C), indicating that the vulnerability affects components beyond the vulnerable library itself. No known exploits are currently reported in the wild, and no patches have been published yet. The dispute and low CVSS score suggest that while the vulnerability exists, its practical impact and exploitability are limited, especially given the high attack complexity and local access requirements.

For European organizations, the potential impact of this vulnerability is primarily on the integrity of cryptographic operations relying on jsrsasign v11.1.0. Since jsrsasign is used in various web applications and services for digital signature verification and cryptographic functions, weak encryption strength could allow attackers with local access to manipulate or forge signatures, potentially undermining trust in data authenticity. However, the requirement for local access and high attack complexity reduces the likelihood of widespread exploitation. The lack of confidentiality or availability impact further limits the threat. Organizations in sectors relying heavily on cryptographic assurances, such as finance, government, and critical infrastructure, could face risks if they use the vulnerable library version without additional safeguards. Given the dispute over the vulnerability's validity and the absence of known exploits, the immediate risk to European entities is low but should not be ignored, especially in environments where local access controls are weak or where cryptographic integrity is paramount.

European organizations should first identify any usage of jsrsasign v11.1.0 within their software stacks, especially in critical applications involving digital signatures or cryptographic verification. Since no official patches are currently available, organizations should consider the following specific mitigations: 1) Replace or upgrade jsrsasign to a later version if available, or switch to alternative cryptographic libraries with stronger default encryption parameters. 2) Enforce strict local access controls and monitoring to prevent unauthorized local access that could enable exploitation. 3) Conduct thorough cryptographic audits to verify key lengths and encryption parameters used in applications, ensuring they meet current security standards. 4) Implement additional application-level integrity checks and multi-factor verification for critical cryptographic operations to mitigate risks from potential signature forgery. 5) Stay informed on updates from the jsrsasign project and CVE authorities regarding dispute resolution and patch releases. 6) For environments where upgrading is not immediately feasible, consider compensating controls such as network segmentation and enhanced logging to detect suspicious activities related to cryptographic operations.