From 76e5be3a003b7328c54de6a13eff8e0330387971 Mon Sep 17 00:00:00 2001
From: Ashwin Gundarapu <linuxuser509@outlook.com>
Date: Fri, 12 Jun 2026 09:58:19 +0000
Subject: [PATCH] crypto: reject non-positive RSA modulus in certificates

If an RSA modulus is zero or negative, return undefined instead of
attempting to convert it. This prevents issues with malformed certificates.

Fixes: https://github.com/nodejs/node/issues/63824
---
 src/crypto/crypto_x509.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/crypto/crypto_x509.cc b/src/crypto/crypto_x509.cc
index 8082496a87714e..9de7e40d636d40 100644
--- a/src/crypto/crypto_x509.cc
+++ b/src/crypto/crypto_x509.cc
@@ -681,6 +681,12 @@ MaybeLocal<Object> GetPubKey(Environment* env, const ncrypto::Rsa& rsa) {
 }
 
 MaybeLocal<Value> GetModulusString(Environment* env, const BIGNUM* n) {
+  // FIX: Reject non-positive modulus (zero or negative)
+  // Addresses issue #63824
+  if (n == nullptr || BN_is_zero(n) || BN_is_negative(n)) {
+    return Undefined(env->isolate());
+  }
+  
   auto bio = BIOPointer::New(n);
   if (!bio) [[unlikely]]
     return {};