Update node-forge to fix CVE-2025-66031 #3025
Description
[READ] Step 1: Are you in the right place?
- For issues related to the code in this repository file a Github issue.
- If the issue pertains to Cloud Firestore, read the instructions in the "Firestore issue"
template. - For general technical questions, post a question on StackOverflow
with the firebase tag. - For general Firebase discussion, use the firebase-talk
google group. - For help troubleshooting your application that does not fall under one
of the above categories, reach out to the personalized
Firebase support channel.
[REQUIRED] Step 2: Describe your environment
- Operating System version:
node:24.10-bookworm - Firebase SDK version:
13.2.0 - Firebase Product:
auth - Node.js version:
24.10.0 - NPM version:
11.6.1
[REQUIRED] Step 3: Describe the problem
See:
Steps to reproduce:
- Add
firebase-admin@13.2.0to a project as a dependency - Run
npm audit - Receive the following warning:
# npm audit report
node-forge <=1.3.1
Severity: high
node-forge has ASN.1 Unbounded Recursion - https://github.com/advisories/GHSA-554w-wpv2-vw27
node-forge is vulnerable to ASN.1 OID Integer Truncation - https://github.com/advisories/GHSA-65ch-62r8-g69g
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization - https://github.com/advisories/GHSA-5gfm-wpxj-wjgq
fix available via `npm audit fix`
node_modules/node-forge