Node-forge ASN.1 validation signature verification bypass (CVE-2025-12816)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-12816 affects node-forge versions 1.3.1 and earlier, where an ASN.1 validation flaw can let malformed data pass as valid and bypass signature verification. The issue can undermine authentication, signed data integrity, and certificate-related trust decisions in applications that rely on the library. A fix is available in node-forge 1.3.2.
Timeline
-
26.11.2025 21:32 2 articles · 6mo ago
node-forge CVE-2025-12816 ASN.1 verification bypass
Initial DisclosureCVE-2025-12816 affects node-forge versions 1.3.1 and earlier, where malformed ASN.1 structures can desynchronize schema validations and let unauthenticated attackers bypass downstream cryptographic verifications. Hunter Wodzenski of Palo Alto Networks reported the flaw responsibly and provided a proof-of-concept, while Carnegie Mellon CERT-CC warned that affected applications may face authentication bypass, signed data tampering, and misuse of certificate-related functions. A fix was released in node-forge 1.3.2 earlier today.
Show sources
- Popular Forge library gets fix for signature verification bypass flaw — www.bleepingcomputer.com — 26.11.2025 21:32
- Popular Forge library gets fix for signature verification bypass flaw — www.bleepingcomputer.com — 26.11.2025 21:32