Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
- Severity:
- High
Description
pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.
Recommendation
Update the node-forge package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.3.3
- Patched version(s): 1.4.0
References
Related Issues
- Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - CVE-2026-33891
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- Forge has signature forgery in Ed25519 due to missing S > L check - CVE-2026-33895
- node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization - CVE-2025-12816
- Tags:
- npm
- node-forge
Anything's wrong? Let us know Last updated on March 27, 2026