High severityNVD Advisory· Published Nov 25, 2025· Updated Nov 25, 2025
CVE-2025-12816
CVE-2025-12816
Description
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
node-forgenpm | < 1.3.2 | 1.3.2 |
Affected products
2- Range: 0
- Digital Bazaar/node-forgev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- github.com/advisories/GHSA-5gfm-wpxj-wjgqghsaADVISORY
- github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgqghsathird-party-advisoryWEB
- kb.cert.org/vuls/id/521113ghsathird-party-advisoryWEB
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/asn1.jsghsaWEB
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/ed25519.jsghsaWEB
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pbe.jsghsaWEB
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs12.jsghsaWEB
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs7.jsghsaWEB
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/rsa.jsghsaWEB
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/x509.jsghsaWEB
- github.com/digitalbazaar/forge/pull/1124ghsaWEB
- www.kb.cert.org/vuls/id/521113ghsaWEB
- www.npmjs.com/package/node-forgeghsaWEB
News mentions
0No linked articles in our index yet.