Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
CVE-2026-33895
This high-severity CVE scores 7.5 under NVD CVSS v3. EPSS exploit probability: 0.0%, top 87% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 7.5
- EG Score
- 7.5(medium)
- EPSS
- 26.9%
- KEV
- Not listed
Published
March 27, 2026
Last Modified
July 15, 2026
Advisory Details (3)
Auto-updated Jun 10, 2026Signature forgery in Ed25519 due to missing S < L check · Advisory · digitalbazaar/forge · GitHub
https://github.com/digitalbazaar/forge/security/advisories/GHSA-q67f-28xg-22rwcommit bdecf11571c9 (digitalbazaar/forge)
Fix landed in digitalbazaar/forge commit bdecf11571c9 — awaiting tagged release
https://github.com/digitalbazaar/forge/commit/bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85RFC 8032 - Edwards-Curve Digital Signature Algorithm (EdDSA)
https://datatracker.ietf.org/doc/html/rfc8032#section-8.4Vendor Advisories for CVE-2026-33895(5)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2026:34342Red Hat Product SecurityCritical
Red Hat Security Advisory: Cluster Observability Operator 1.5.0
- RHSA-2026:24761Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update
- CVE-2026-33895Microsoft Security Response Center (MSRC)High
Forge has signature forgery in Ed25519 due to missing S > L check
- RHSA-2026:13826Red Hat Product SecurityCritical
Red Hat Security Advisory: Red Hat Developer Hub 1.9.4 release.
- RHSA-2026:9742Red Hat Product SecurityCritical
Red Hat Security Advisory: Red Hat Developer Hub 1.8.6 release.
Frequently asked(5)
What is CVE-2026-33895?
When was CVE-2026-33895 disclosed?
Is CVE-2026-33895 actively exploited?
What is the CVSS score of CVE-2026-33895?
How do I remediate CVE-2026-33895?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-33895
Is Your Infrastructure Affected by CVE-2026-33895?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.