8 matches found
CVE-2022-24772
CVE-2022-24772 is a vulnerability in Forge/node-forge where RSA PKCS#1 v1.5 signature verification does not check for trailing garbage after decoding a DigestInfo, enabling signature forging when a low exponent is used. The issue has a fixed remedy in node-forge version 1.3.0. Connected sources c...
CVE-2022-24771
CVE-2022-24771 affects Forge (node-forge). Prior to 1.3.0, RSA PKCS#1 v1.5 signature verification is lenient, allowing a crafted DigestInfo structure to steal padding bytes and forge a signature when a low public exponent is used. The issue is fixed in node-forge 1.3.0. Practical impact, as state...
CVE-2022-24773
Technical details about CVE-2022-24773 (affected products/versions, root cause, impact, and fixes) are not provided in the connected documents. Monitor for updates from the vendor/CNA disclosures to obtain concrete information.
CVE-2020-7720
CVE-2020-7720 is a prototype pollution vulnerability in the node-forge library (util.setPath) present in older node-forge releases. Multiple connected sources confirm that versions prior to 0.10.0 are affected, with 0.10.0 removing the vulnerable functions. Public risk scores in the sources range...
CVE-2022-0122
CVE-2022-0122 — The initial description notes that the Forge (node-forge) library is vulnerable to URL Redirection to Untrusted Site. The connected documents confirm this CVE is present in the Forge project, with a reference to a Forge commit that relates to the issue, but there are no explicit p...
CVE-2025-66030
CVE-2025-66030 (node-forge) is a vulnerability in the Forge/ node-forge TLS implementation for JavaScript. The issue is an integer overflow in versions 1.3.1 and earlier, allowing remote, unauthenticated attackers to craft ASN.1 structures with oversized arcs. These arcs can be decoded as smaller...
CVE-2025-66031
CVE-2025-66031 pertains to the node-forge (Forge) library. An Uncontrolled Recursion vulnerability in node-forge
CVE-2026-33894
Forge (node-forge) prior to version 1.4.0 is vulnerable to RSASSA-PKCS1 v1.5 signature forgery for low exponent keys (e = 3). The issue arises from forging signatures by injecting extra bytes inside the ASN.1 structure and by not enforcing a minimum PKCS#1 v1.5 padding length of 8 bytes, enabling...