Improper Verification of Cryptographic Signature in node-forge (GHSA-cfm4-qjh2-4765)

Severity:: High

Description

RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.

Recommendation

Update the node-forge package to the latest compatible version. Followings are version details:

Affected version(s): < 1.3.0
Patched version(s): 1.3.0

References

GHSA-cfm4-qjh2-4765
CVE-2022-24771
CWE-347
CAPEC-310
OWASP 2021-A2
OWASP 2021-A6

Related Issues

Improper Verification of Cryptographic Signature in `node-forge` (GHSA-2r2c-g63r-vccr) - CVE-2022-24773
Improper Verification of Cryptographic Signature in node-forge - CVE-2022-24772
Improper Verification of Cryptographic Signature (GHSA-7r96-8g3x-g36m) - Vulnerability
Open Redirect in node-forge - CVE-2022-0122

Tags:: npm; node-forge

Anything's wrong? Let us know Last updated on February 12, 2025