GHSA-5gfm-wpxj-wjgq

Source

https://github.com/advisories/GHSA-5gfm-wpxj-wjgq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-5gfm-wpxj-wjgq/GHSA-5gfm-wpxj-wjgq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5gfm-wpxj-wjgq

Aliases

CVE-2025-12816

Downstream

MINI-c53p-4vrc-322r

MINI-gg4x-rqjc-rq6j

Related

Published

2025-11-26T22:07:19Z

Modified

2025-11-26T22:27:49.675787Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization

Details

Summary

CVE-2025-12816 has been reserved by CERT/CC

Description An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Details

A critical ASN.1 validation bypass vulnerability exists in the node-forge asn1.validate function within forge/lib/asn1.js. ASN.1 is a schema language that defines data structures, like the typed record schemas used in X.509, PKCS#7, PKCS#12, etc. DER (Distinguished Encoding Rules), a strict binary encoding of ASN.1, is what cryptographic code expects when verifying signatures, and the exact bytes and structure must match the schema used to compute and verify the signature. After deserializing DER, Forge uses static ASN.1 validation schemas to locate the signed data or public key, compute digests over the exact bytes required, and feed digest and signature fields into cryptographic primitives.

This vulnerability allows a specially crafted ASN.1 object to desynchronize the validator on optional boundaries, causing a malformed optional field to be semantically reinterpreted as the subsequent mandatory structure. This manifests as logic bypasses in cryptographic algorithms and protocols with optional security features (such as PKCS#12, where MACs are treated as absent) and semantic interpretation conflicts in strict protocols (such as X.509, where fields are read as the wrong type).

Impact

This flaw allows an attacker to desynchronize the validator, allowing critical components like digital signatures or integrity checks to be skipped or validated against attacker-controlled data.

This vulnerability impacts the ans1.validate function in node-forge before patched version 1.3.2. https://github.com/digitalbazaar/forge/blob/main/lib/asn1.js.

The following components in node-forge are impacted. lib/asn1.js lib/x509.js lib/pkcs12.js lib/pkcs7.js lib/rsa.js lib/pbe.js lib/ed25519.js

Any downstream application using these components is impacted.

These components may be leveraged by downstream applications in ways that enable full compromise of integrity, leading to potential availability and confidentiality compromises.

Database specific

{
    "nvd_published_at": "2025-11-25T20:15:58Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-436"
    ],
    "severity": "HIGH",
    "github_reviewed_at": "2025-11-26T22:07:19Z"
}

References

Affected packages

npm / node-forge

Package

Name: node-forge; View open source insights on deps.dev
Purl: pkg:npm/node-forge

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.2