VYPR

Forge

by Digitalbazaar

Source repositories

CVEs (11)

  • CVE-2026-33895HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid…

  • CVE-2026-33894HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing…

  • CVE-2026-33891HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from…

  • CVE-2026-33896HigMar 27, 2026
    risk 0.41cvss 7.4epss 0.00

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the…

  • CVE-2025-66030Nov 26, 2025
    risk 0.00cvss epss 0.00

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized…

  • CVE-2025-66031Nov 26, 2025
    risk 0.00cvss epss 0.00

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded…

  • CVE-2025-12816Nov 25, 2025
    risk 0.00cvss epss 0.01

    An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and…

  • CVE-2022-24772Mar 18, 2022
    risk 0.00cvss epss 0.01

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow…

  • CVE-2022-24773Mar 18, 2022
    risk 0.00cvss epss 0.01

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification…

  • CVE-2022-24771Mar 18, 2022
    risk 0.00cvss epss 0.01

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals…

  • CVE-2020-7720Sep 1, 2020
    risk 0.00cvss epss 0.03

    The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.