GHSA-65ch-62r8-g69g

MITRE-Formatted CVE Description An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.

Description

An ASN.1 OID Integer Truncation vulnerability exists in the node-forge asn1.derToOid function within forge/lib/asn1.js. OID components are decoded using JavaScript's bitwise left-shift operator (<<), which forcibly casts values to 32-bit signed integers. Consequently, if an attacker provides a mathematically unique, very large OID arc integer exceeding $2^{31}-1$, the value silently overflows and wraps around rather than throwing an error.

Impact

This vulnerability allows a specially crafted ASN.1 object to spoof an OID, where a malicious certificate with a massive, invalid OID is misinterpreted by the library as a trusted, standard OID, potentially bypassing security controls.

This vulnerability impacts the asn1.derToOid function in node-forge before patched version 1.3.2.

Any downstream application using this component is impacted. This component may be leveraged by downstream applications in ways that enables partial compromise of integrity, leading to potential availability and confidentiality compromises.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-190"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2025-11-26T22:07:44Z"
}

References

Affected packages

npm / node-forge

Package

Name: node-forge; View open source insights on deps.dev
Purl: pkg:npm/node-forge

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.2