node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
- Severity:
- High
Description
CVE-2025-12816 has been reserved by CERT/CC
Description An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.
Recommendation
Update the node-forge package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.3.2
- Patched version(s): 1.3.2
References
- GHSA-5gfm-wpxj-wjgq
- kb.cert.org
- www.kb.cert.org
- www.npmjs.com
- CVE-2025-12816
- CWE-436
- CAPEC-310
- OWASP 2021-A6
Related Issues
- node-forge has ASN.1 Unbounded Recursion - CVE-2025-66031
- node-forge is vulnerable to ASN.1 OID Integer Truncation - CVE-2025-66030
- validator.js has a URL validation bypass vulnerability in its isURL function - CVE-2025-56200
- Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - CVE-2026-33891
- Tags:
- npm
- node-forge
Anything's wrong? Let us know Last updated on November 26, 2025