CVE-2025-66031 (High) detected in node-forge-0.10.0.tgz #92
Description
CVE-2025-66031 - High Severity Vulnerability
Vulnerable Library - node-forge-0.10.0.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
- build-angular-13.0.3.tgz (Root Library)
- webpack-dev-server-4.4.0.tgz
- selfsigned-1.10.11.tgz
- ❌ node-forge-0.10.0.tgz (Vulnerable Library)
- selfsigned-1.10.11.tgz
- webpack-dev-server-4.4.0.tgz
Found in HEAD commit: 977ea6ccaaf2045985ee40cacd5f6d676fa1a047
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Publish Date: 2025-11-26
URL: CVE-2025-66031
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-554w-wpv2-vw27
Release Date: 2025-11-26
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (@angular-devkit/build-angular): 13.2.0
Step up your Open Source Security Game with Mend here