- Node-forge cryptography library flaw (CVE-2025-12816) allowed bypass of signature and certificate validation
- CERT-CC warns of risks including authentication bypass and signed data tampering
- Maintainers released version 1.3.2; developers urged to update immediately
A popular JavaScript cryptography library is vulnerable in a way which could allow threat actors to break into user accounts. The library has since been updated, and users are urged to move to the new version as soon as possible.
The bug was found in the ‘node-forge’ package, a popular cryptography tool that provides functions for things like encryption, decryption, hashing, digital signatures, TLS/SSL, and key generation, all without needing native modules.
The bug lets an attacker craft a bogus ASN.1 data structure that tricks the library into skipping cryptographic checks and allowing signature, or certificate validation, to be bypassed. It is tracked as CVE-2025-12816 and is given a severity score of 8.6/10 (high). Abstract Syntax Notation One (ASN.1) is a standard format used for encoding data in certificates and cryptographic operations.
Significant impact
Carnegie Mellon CERT-CC also issued a security advisory, in which it said the bug can be abused in different ways, and may result in authentication bypass, signed data tempering, or misuses of certificate-related functions.
“In environments where cryptographic verification plays a central role in trust decisions, the potential impact can be significant,” CERT-CC said.
Node.js developers should care because node-forge is a core cryptography library used in countless web apps and services. It is also an immensely popular library, with almost 26 million weekly downloads on the Node Package Manager (npm) registry.
The vulnerability was discovered by cybersecurity researchers from Palo Alto Networks, and was responsibly disclosed to node-forge maintainers, who released a fix earlier this week.
The fix brings the library to version 1.3.2, and developers using node-forge are urged to switch to the new version as soon as possible. As a general rule of thumb, developers should promptly update cryptography dependencies in Node.js projects, as even widely used, trusted packages can contain critical flaws.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/VyYgfUHgbvAsTDDYewj2Am-970-80.jpg
Source link
