233 matches found
CVE-2026-33896
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, pki.verifyCertificateChain does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions...
CVE-2026-33891
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service DoS vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse function inherited from the bundled jsbn library...
CVE-2026-33894
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS1 v1.5 signature verification accepts forged signatures for low public exponent keys e=3. Attackers can forge signatures by stuffing “garbage” bytes within the ASN...
UBUNTU-CVE-2026-33896
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, pki.verifyCertificateChain does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions...
UBUNTU-CVE-2026-33894
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS1 v1.5 signature verification accepts forged signatures for low public exponent keys e=3. Attackers can forge signatures by stuffing “garbage” bytes within the ASN...
CVE-2026-33896
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, pki.verifyCertificateChain does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions...
UBUNTU-CVE-2026-33891
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service DoS vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse function inherited from the bundled jsbn library...
CVE-2026-33894
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS1 v1.5 signature verification accepts forged signatures for low public exponent keys e=3. Attackers can forge signatures by stuffing “garbage” bytes within the ASN...
CVE-2026-33891
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service DoS vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse function inherited from the bundled jsbn library...
CVE-2026-33896 Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, pki.verifyCertificateChain does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions...
CVE-2026-33896
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, pki.verifyCertificateChain does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions...
CVE-2026-33894
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS1 v1.5 signature verification accepts forged signatures for low public exponent keys e=3. Attackers can forge signatures by stuffing “garbage” bytes within the ASN...
CVE-2026-33891 Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service DoS vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse function inherited from the bundled jsbn library...
CVE-2026-33891
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service DoS vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse function inherited from the bundled jsbn library...
CVE-2026-33891 Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service DoS vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse function inherited from the bundled jsbn library...
CVE-2026-33891
CVE-2026-33891 affects Forge/node-forge prior to 1.4.0, where BigInteger.modInverse() can enter an infinite loop when given zero, causing a DoS with 100% CPU. The issue is resolved in 1.4.0. Related OSV entries confirm patches in downstream packages (e.g., Root’s @rootio/node-forge) with multiple...
CVE-2026-33891 Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
Forge also called node-forge is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service DoS vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse function inherited from the bundled jsbn library...
Improper Certificate Validation
Overview node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Improper Certificate Validation in the verifyCertificateChain function. An attacker can gain...
org.webjars.npm:github-com-cisco-node-jose (=2.2.0), org.webjars.npm:google-auth-library (>=1.6.1 <=6.1.6) +7 more potentially affected by CVE-2026-33896 via org.webjars.npm:node-forge (>=0.10.0 <=1.3.3)
org.webjars.npm:node-forge MAVEN version =0.10.0, =1.6.1, =1.0.2, =2.3.2, =1.10.2, =2.1.1 Source cves: CVE-2026-33896 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15789772...
-fides-amor-et-lux (=1.0.0), 1ib (>=1.0.9 <=1.0.11) +1144 more potentially affected by CVE-2026-33896 via node-forge (>=1.0.0 <=1.3.3)
node-forge NPM version =1.0.0, =1.0.9, =1.0.0, =7.10.2-para-beta.0, =1.3.0-patch.0, =0.0.1-custom-install-dir, =1.2.1, =1.0.0, =1.0.0, =1.2.6, =1.23.2, =1.34.0 - @arextest/arex-request-runtime =7.36.3 and more Source cves: CVE-2026-33896 Source advisory: SNYK:JS-NODEFORGE-15789771...