Improper Verification of Cryptographic Signature in `node-forge` (GHSA-2r2c-g63r-vccr)

Severity:: Medium

Description

RSA PKCS#1 v1.5 signature verification code is not properly checking DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.

Recommendation

Update the node-forge package to the latest compatible version. Followings are version details:

Affected version(s): < 1.3.0
Patched version(s): 1.3.0

References

GHSA-2r2c-g63r-vccr
CVE-2022-24773
CWE-347
CAPEC-310
OWASP 2021-A2
OWASP 2021-A6

Related Issues

node-forge has ASN.1 Unbounded Recursion - CVE-2025-66031
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization - CVE-2025-12816
Prototype Pollution in node-forge - CVE-2020-7720
Improper Verification of Cryptographic Signature in node-forge - CVE-2022-24772

Tags:: npm; node-forge

Anything's wrong? Let us know Last updated on January 27, 2023