High severityNVD Advisory· Published Nov 26, 2025· Updated Nov 28, 2025

node-forge ASN.1 Unbounded Recursion

CVE-2025-66031

Description

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
node-forgenpm	< 1.3.2	1.3.2

Affected products

Digitalbazaar/Forgev5
Range: < 1.3.2

Patches

260425c6167a

Add ASN.1 recursion depth limit

https://github.com/digitalbazaar/forgewodzenNov 22, 2025via ghsa

commit

1 file changed · +14 −0

lib/asn1.js+14 −0 modified

@@ -178,6 +178,11 @@ asn1.Type = {
   BMPSTRING:       30
 };
 
+/**
+ * Sets the default maximum recursion depth when parsing ASN.1 structures.
+ */
+asn1.maxDepth = 256;
+
 /**
  * Creates a new asn1 object.
  *
@@ -448,6 +453,9 @@ asn1.fromDer = function(bytes, options) {
   if(!('decodeBitStrings' in options)) {
     options.decodeBitStrings = true;
   }
+  if(!('maxDepth' in options)) {
+    options.maxDepth = asn1.maxDepth;
+  }
 
   // wrap in buffer if needed
   if(typeof bytes === 'string') {
@@ -476,6 +484,12 @@ asn1.fromDer = function(bytes, options) {
  * @return the parsed asn1 object.
  */
 function _fromDer(bytes, remaining, depth, options) {
+
+  // check depth limit
+  if(depth >= options.maxDepth) {
+    throw new Error('ASN.1 parsing error: Max depth exceeded.');
+  }
+
   // temporary storage for consumption calculations
   var start;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-554w-wpv2-vw27ghsaADVISORY
github.com/digitalbazaar/forge/commit/260425c6167a38aae038697132483b5517b26451ghsax_refsource_MISCWEB
github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000