node-forge 1.2.1

Direct Vulnerabilities

Known vulnerabilities in the node-forge package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Improper Verification of Cryptographic Signature node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in ASN.1 structures during RSA signature verification. An attacker can bypass signature verification and inject forged signatures by crafting ASN.1 data with extra fields or insufficient padding, allowing unauthorized actions or data integrity violations. Note: This is only exploitable if the default verification scheme (RSASSA-PKCS1-v1_5) is used with the `_parseAllDigestBytes: true` setting (which is the default). How to fix Improper Verification of Cryptographic Signature? Upgrade `node-forge` to version 1.4.0 or higher.	<1.4.0
C Improper Certificate Validation node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Improper Certificate Validation in the `verifyCertificateChain` function. An attacker can gain unauthorized certificate authority capabilities by presenting a certificate chain where an intermediate certificate lacks both `basicConstraints` and `keyUsage` extensions, allowing the attacker to sign certificates for arbitrary domains and have them accepted as valid. How to fix Improper Certificate Validation? Upgrade `node-forge` to version 1.4.0 or higher.	<1.4.0
H Infinite loop node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Infinite loop via the `modInverse` function. An attacker can cause the application to hang indefinitely and consume excessive CPU resources by supplying a zero value as input, resulting in an infinite loop. How to fix Infinite loop? Upgrade `node-forge` to version 1.4.0 or higher.	<1.4.0
H Improper Verification of Cryptographic Signature node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the `ed25519.verify` function. An attacker can bypass authentication and authorization logic by submitting forged non-canonical signatures where the scalar S is not properly validated, allowing acceptance of signatures that should be rejected according to the specification. How to fix Improper Verification of Cryptographic Signature? Upgrade `node-forge` to version 1.4.0 or higher.	<1.4.0
H Uncontrolled Recursion node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Uncontrolled Recursion via the `fromDer` function in `asn1.js`, which lacks recursion depth. An attacker can cause stack exhaustion and disrupt service availability by submitting specially crafted, deeply nested DER-encoded ASN.1 data. How to fix Uncontrolled Recursion? Upgrade `node-forge` to version 1.3.2 or higher.	<1.3.2
M Integer Overflow or Wraparound node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the `derToOid` function in the `asn1.js` file, which decodes ASN.1 structures containing OIDs with oversized arcs. An attacker can bypass security decisions based on OID validation by crafting malicious ASN.1 data that exploits 32-bit bitwise truncation. How to fix Integer Overflow or Wraparound? Upgrade `node-forge` to version 1.3.2 or higher.	<1.3.2
C Interpretation Conflict node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Interpretation Conflict via the `asn1.validate()` function. An attacker can cause schema validation to become desynchronized, resulting in semantic divergence that may allow bypassing cryptographic verifications and security decisions, by passing in ASN.1 data with optional parameters that may be interpreted as object boundaries. How to fix Interpretation Conflict? Upgrade `node-forge` to version 1.3.2 or higher.	<1.3.2
M Improper Verification of Cryptographic Signature node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSA's `PKCS#1 v1.5` signature verification code which does not properly check `DigestInfo` for a proper `ASN.1` structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. How to fix Improper Verification of Cryptographic Signature? Upgrade `node-forge` to version 1.3.0 or higher.	<1.3.0
M Improper Verification of Cryptographic Signature node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSA`s` PKCS#1` v1.5 signature verification code which is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. How to fix Improper Verification of Cryptographic Signature? Upgrade `node-forge` to version 1.3.0 or higher.	<1.3.0
H Improper Verification of Cryptographic Signature node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSA's `PKCS#1` v1.5 signature verification code which does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. How to fix Improper Verification of Cryptographic Signature? Upgrade `node-forge` to version 1.3.0 or higher.	<1.3.0

Vulnerability

Vulnerable Version

Improper Verification of Cryptographic Signature

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in ASN.1 structures during RSA signature verification. An attacker can bypass signature verification and inject forged signatures by crafting ASN.1 data with extra fields or insufficient padding, allowing unauthorized actions or data integrity violations.

Note:

This is only exploitable if the default verification scheme (RSASSA-PKCS1-v1_5) is used with the _parseAllDigestBytes: true setting (which is the default).

How to fix Improper Verification of Cryptographic Signature?

Upgrade node-forge to version 1.4.0 or higher.

<1.4.0

Improper Certificate Validation

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Certificate Validation in the verifyCertificateChain function. An attacker can gain unauthorized certificate authority capabilities by presenting a certificate chain where an intermediate certificate lacks both basicConstraints and keyUsage extensions, allowing the attacker to sign certificates for arbitrary domains and have them accepted as valid.

How to fix Improper Certificate Validation?

Upgrade node-forge to version 1.4.0 or higher.

<1.4.0

Infinite loop

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Infinite loop via the modInverse function. An attacker can cause the application to hang indefinitely and consume excessive CPU resources by supplying a zero value as input, resulting in an infinite loop.

How to fix Infinite loop?

Upgrade node-forge to version 1.4.0 or higher.

<1.4.0

Improper Verification of Cryptographic Signature

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the ed25519.verify function. An attacker can bypass authentication and authorization logic by submitting forged non-canonical signatures where the scalar S is not properly validated, allowing acceptance of signatures that should be rejected according to the specification.

How to fix Improper Verification of Cryptographic Signature?

Upgrade node-forge to version 1.4.0 or higher.

<1.4.0

Uncontrolled Recursion

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Uncontrolled Recursion via the fromDer function in asn1.js, which lacks recursion depth. An attacker can cause stack exhaustion and disrupt service availability by submitting specially crafted, deeply nested DER-encoded ASN.1 data.

How to fix Uncontrolled Recursion?

Upgrade node-forge to version 1.3.2 or higher.

<1.3.2

Integer Overflow or Wraparound

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the derToOid function in the asn1.js file, which decodes ASN.1 structures containing OIDs with oversized arcs. An attacker can bypass security decisions based on OID validation by crafting malicious ASN.1 data that exploits 32-bit bitwise truncation.

How to fix Integer Overflow or Wraparound?

Upgrade node-forge to version 1.3.2 or higher.

<1.3.2

Interpretation Conflict

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Interpretation Conflict via the asn1.validate() function. An attacker can cause schema validation to become desynchronized, resulting in semantic divergence that may allow bypassing cryptographic verifications and security decisions, by passing in ASN.1 data with optional parameters that may be interpreted as object boundaries.

How to fix Interpretation Conflict?

Upgrade node-forge to version 1.3.2 or higher.

<1.3.2

Improper Verification of Cryptographic Signature

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSA's PKCS#1 v1.5 signature verification code which does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.

How to fix Improper Verification of Cryptographic Signature?

Upgrade node-forge to version 1.3.0 or higher.

<1.3.0

Improper Verification of Cryptographic Signature

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSAs PKCS#1` v1.5 signature verification code which is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.

How to fix Improper Verification of Cryptographic Signature?

Upgrade node-forge to version 1.3.0 or higher.

<1.3.0

Improper Verification of Cryptographic Signature

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSA's PKCS#1 v1.5 signature verification code which does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.

How to fix Improper Verification of Cryptographic Signature?

Upgrade node-forge to version 1.3.0 or higher.

<1.3.0

node-forge@1.2.1

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically