Improper Verification of Cryptographic Signature in node-forge - node-forge

Severity:: High

Description

RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.

Recommendation

Update the node-forge package to the latest compatible version. Followings are version details:

Affected version(s): < 1.3.0
Patched version(s): 1.3.0

References

GHSA-cfm4-qjh2-4765
CVE-2022-24771
CWE-347
CAPEC-310
OWASP 2021-A2
OWASP 2021-A6

Related Issues

Improper Verification of Cryptographic Signature in node-forge - CVE-2022-24772
Improper Verification of Cryptographic Signature in `node-forge` - node-forge - GHSA-2r2c-g63r-vccr - CVE-2022-24773
Open Redirect in node-forge - CVE-2022-0122
Improper Verification of Cryptographic Signature - CVE-2021-32685

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; node-forge

Anything's wrong? Let us know Last updated on February 12, 2025