Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
CVE-2022-24771
This high-severity CVE scores 7.5 under NVD CVSS v3. EPSS exploit probability: 0.2%, top 63% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 7.5
- EG Score
- 7.5(medium)
- EPSS
- 49.4%
- KEV
- Not listed
Published
March 18, 2022
Last Modified
November 21, 2024
References (4)
- security-advisories@githubhttps://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1
- security-advisories@githubhttps://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765
- af854a3a-2127-422b-91ae-364da2661108https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1
- af854a3a-2127-422b-91ae-364da2661108https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765
Vendor Advisories for CVE-2022-24771(5)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2022:6835Red Hat Product SecurityHigh
Red Hat Security Advisory: Service Registry (container images) release and security update [2.3.0.GA]
- RHSA-2022:6813Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.1 security update
- RHSA-2022:6156Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement, & bugfix update
- RHSA-2022:1739Red Hat Product SecurityMedium
Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.1.2.1 containers security update
- RHSA-2022:1681Red Hat Product SecurityMedium
Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.4.4 security updates and bug fixes
Affected Packages
(1 across 1 ecosystem)
npm(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| node-forge | — | 1.3.0 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Frequently asked(5)
What is CVE-2022-24771?
When was CVE-2022-24771 disclosed?
Is CVE-2022-24771 actively exploited?
What is the CVSS score of CVE-2022-24771?
How do I remediate CVE-2022-24771?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2022-24771
Is Your Infrastructure Affected by CVE-2022-24771?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.