node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
- Severity:
- High
Description
CVE-2025-12816 has been reserved by CERT/CC
Description An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.
Recommendation
Update the node-forge package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.3.2
- Patched version(s): 1.3.2
References
- GHSA-5gfm-wpxj-wjgq
- kb.cert.org
- www.kb.cert.org
- www.npmjs.com
- CVE-2025-12816
- CWE-436
- CAPEC-310
- OWASP 2021-A6
Related Issues
- node-forge has ASN.1 Unbounded Recursion - CVE-2025-66031
- Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass - CVE-2025-64525
- Webrecorder packages are vulnerable to XSS through 404 error handling logic (GHSA-w765-jm6w-4hhj) - CVE-2025-58765
- Prototype Pollution in node-forge - CVE-2020-7720
- Tags:
- npm
- node-forge
Anything's wrong? Let us know Last updated on November 26, 2025