- Notifications
You must be signed in to change notification settings - Fork68
Description
CVE-2025-12816 - High Severity Vulnerability
Vulnerable Library -node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page:https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/package.json
Dependency Hierarchy:
- @postgres.ai/shared-4.0.0.tgz (Root Library)
- react-scripts-5.0.1.tgz
- webpack-dev-server-4.15.2.tgz
- selfsigned-2.4.1.tgz
- ❌node-forge-1.3.1.tgz (Vulnerable Library)
- selfsigned-2.4.1.tgz
- webpack-dev-server-4.15.2.tgz
- react-scripts-5.0.1.tgz
Found in base branch:master
Vulnerability Details
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Publish Date: 2025-11-25
URL:CVE-2025-12816
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin:GHSA-5gfm-wpxj-wjgq
Release Date: 2025-11-25
Fix Resolution: node-forge - 1.3.2,https://github.com/digitalbazaar/forge.git - v1.3.2
Step up your Open Source Security Game with Mendhere