- Notifications
You must be signed in to change notification settings - Fork68
Description
CVE-2025-66031 - High Severity Vulnerability
Vulnerable Library -node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page:https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /ui/package.json
Path to vulnerable library: /ui/package.json
Dependency Hierarchy:
- @postgres.ai/shared-4.0.0.tgz (Root Library)
- react-scripts-5.0.1.tgz
- webpack-dev-server-4.15.2.tgz
- selfsigned-2.4.1.tgz
- ❌node-forge-1.3.1.tgz (Vulnerable Library)
- selfsigned-2.4.1.tgz
- webpack-dev-server-4.15.2.tgz
- react-scripts-5.0.1.tgz
Found in base branch:master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Publish Date: 2025-11-26
URL:CVE-2025-66031
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin:GHSA-554w-wpv2-vw27
Release Date: 2025-11-26
Fix Resolution: node-forge - 1.3.2,https://github.com/digitalbazaar/forge.git - v1.3.2
Step up your Open Source Security Game with Mendhere