Description
Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification.
Recommendation
Update the node-forge package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.0
- Patched version(s): 1.4.0
References
Related Issues
- Forge has signature forgery in RSA-PKCS due to ASN.1 extra field - CVE-2026-33894
- Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - CVE-2026-33891
- Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) - CVE-2026-33896
- Astro has memory exhaustion DoS due to missing request body size limit in Server Actions - CVE-2026-27729
- Tags:
- npm
- node-forge
Anything's wrong? Let us know Last updated on March 27, 2026