node-forge 1.2.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the node-forge package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Verification of Cryptographic Signature node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSA's `PKCS#1 v1.5` signature verification code which does not properly check `DigestInfo` for a proper `ASN.1` structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. How to fix Improper Verification of Cryptographic Signature? Upgrade `node-forge` to version 1.3.0 or higher.	<1.3.0
M Improper Verification of Cryptographic Signature node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSA`s` PKCS#1` v1.5 signature verification code which is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. How to fix Improper Verification of Cryptographic Signature? Upgrade `node-forge` to version 1.3.0 or higher.	<1.3.0
H Improper Verification of Cryptographic Signature node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSA's `PKCS#1` v1.5 signature verification code which does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. How to fix Improper Verification of Cryptographic Signature? Upgrade `node-forge` to version 1.3.0 or higher.	<1.3.0

Vulnerability

Vulnerable Version

Improper Verification of Cryptographic Signature

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSA's PKCS#1 v1.5 signature verification code which does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.

How to fix Improper Verification of Cryptographic Signature?

Upgrade node-forge to version 1.3.0 or higher.

<1.3.0

Improper Verification of Cryptographic Signature

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSAs PKCS#1` v1.5 signature verification code which is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.

How to fix Improper Verification of Cryptographic Signature?

Upgrade node-forge to version 1.3.0 or higher.

<1.3.0

Improper Verification of Cryptographic Signature

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to RSA's PKCS#1 v1.5 signature verification code which does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.

How to fix Improper Verification of Cryptographic Signature?

Upgrade node-forge to version 1.3.0 or higher.

<1.3.0

node-forge@1.2.1 vulnerabilities

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically