Sourced fromnode-forge's changelog.

1.3.2 - 2025-11-25

Security

• HIGH: ASN.1 Validator Desynchronization
  • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1structures to desynchronize schema validations, yielding a semanticdivergence that may bypass downstream cryptographic verifications andsecurity decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID:CVE-2025-12816
  • GHSA ID:GHSA-5gfm-wpxj-wjgq
• HIGH: ASN.1 Unbounded Recursion
  • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions1.3.1 and below enables remote, unauthenticated attackers to craft deepASN.1 structures that trigger unbounded recursive parsing. This leads to aDenial-of-Service (DoS) via stack exhaustion when parsing untrusted DERinputs.
  • Reported by Hunter Wodzenski.
  • CVE ID:CVE-2025-66031
  • GHSA ID:GHSA-554w-wpv2-vw27
• MODERATE: ASN.1 OID Integer Truncation
  • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1and below enables remote, unauthenticated attackers to craft ASN.1structures containing OIDs with oversized arcs. These arcs may be decodedas smaller, trusted OIDs due to 32-bit bitwise truncation, enabling thebypass of downstream OID-based security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID:CVE-2025-66030
  • GHSA ID:GHSA-65ch-62r8-g69g

Fixed

• [asn1] Fix for vulnerability identified byCVE-2025-12816 PKCS#12 MACverification bypass due to missing macData enforcement and improperasn1.validate routine.
• [asn1] AddfromDer() max recursion depth check.
  • Add aasn1.maxDepth global configurable maximum depth of 256.
  • Add aasn1.fromDer() per-callmaxDepth option.
  • NOTE: The default maximum is assumed to be higher than needed for validdata. If this assumption is false then this could be a breaking change.Please file an issue if there are use cases that need a higher maximum.
  • NOTE: The per-callmaxDepth parameter has not been exposed up throughall of the API stack due to the complexities involved. Please file an issueif there are use cases that require this instead of changing the defaultmaximum.
• [asn1] Improve OID handling.
  • Error on parsed OID values larger than2**32 - 1.
  • Error on DER OID values larger than2**53 - 1.

• 235ad3e Release 1.3.2.
• 2598244 Update changelog.
• 0032dd0 Fix typos.
• d75e08d Run new security test.
• a5ce91d Update changelog formatting.
• 4652de6 Cleanups.
• eb932d9 Fix typo.
• db6954b Fix style.
• afbf7d8 Align error message style.
• 6607445 Revert minor changes.
• Additional commits viewable incompare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from theSecurity Alerts page.