Signature Verification Bypass in node-forge Library (CVE-2025-12816)

First reported

26.11.2025 21:32

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A high-severity vulnerability (CVE-2025-12816) in the popular node-forge JavaScript cryptography library allows attackers to bypass signature verification by crafting malformed ASN.1 data. The flaw affects versions 1.3.1 and earlier and could lead to authentication bypass, data tampering, and misuse of certificate functions. A patch (version 1.3.2) has been released to address the issue.

Timeline

26.11.2025 21:32 1 articles · 23h ago

node-forge Releases Fix for Signature Verification Bypass Flaw
A high-severity vulnerability (CVE-2025-12816) in node-forge, a popular JavaScript cryptography library, has been patched in version 1.3.2. The flaw allows attackers to bypass signature verification by crafting malformed ASN.1 data, potentially leading to authentication bypass and data tampering. The vulnerability was discovered by Hunter Wodzenski of Palo Alto Networks and responsibly reported to the node-forge developers.
Show sources

Popular Forge library gets fix for signature verification bypass flaw — www.bleepingcomputer.com — 26.11.2025 21:32
Open in new tab

Information Snippets

The vulnerability is tracked as CVE-2025-12816 and has a high severity rating.
First reported: 26.11.2025 21:32

1 source, 1 article
Show sources
- Popular Forge library gets fix for signature verification bypass flaw — www.bleepingcomputer.com — 26.11.2025 21:32
The flaw arises from the ASN.1 validation mechanism in node-forge, allowing malformed data to pass cryptographic checks.
First reported: 26.11.2025 21:32

1 source, 1 article
Show sources
- Popular Forge library gets fix for signature verification bypass flaw — www.bleepingcomputer.com — 26.11.2025 21:32
Hunter Wodzenski of Palo Alto Networks discovered and responsibly reported the vulnerability.
First reported: 26.11.2025 21:32

1 source, 1 article
Show sources
- Popular Forge library gets fix for signature verification bypass flaw — www.bleepingcomputer.com — 26.11.2025 21:32
The vulnerability can lead to authentication bypass, signed data tampering, and misuse of certificate-related functions.
First reported: 26.11.2025 21:32

1 source, 1 article
Show sources
- Popular Forge library gets fix for signature verification bypass flaw — www.bleepingcomputer.com — 26.11.2025 21:32
node-forge has close to 26 million weekly downloads on the NPM registry.
First reported: 26.11.2025 21:32

1 source, 1 article
Show sources
- Popular Forge library gets fix for signature verification bypass flaw — www.bleepingcomputer.com — 26.11.2025 21:32
A fix was released in version 1.3.2 of node-forge.
First reported: 26.11.2025 21:32

1 source, 1 article
Show sources
- Popular Forge library gets fix for signature verification bypass flaw — www.bleepingcomputer.com — 26.11.2025 21:32

Summary

Timeline

node-forge Releases Fix for Signature Verification Bypass Flaw

Information Snippets