惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News: Ask HN
Hacker News: Ask HN
IT之家
IT之家
S
SegmentFault 最新的问题
T
Tailwind CSS Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 司徒正美
J
Java Code Geeks
博客园 - 聂微东
雷峰网
雷峰网
阮一峰的网络日志
阮一峰的网络日志
The Cloudflare Blog
博客园_首页
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 【当耐特】
腾讯CDC
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell
V
V2EX
宝玉的分享
宝玉的分享
小众软件
小众软件
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Hugging Face - Blog
Hugging Face - Blog
月光博客
月光博客
NISL@THU
NISL@THU
T
The Exploit Database - CXSecurity.com
C
CXSECURITY Database RSS Feed - CXSecurity.com
WordPress大学
WordPress大学
有赞技术团队
有赞技术团队
Blog — PlanetScale
Blog — PlanetScale
aimingoo的专栏
aimingoo的专栏
L
LINUX DO - 热门话题
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
F
Fortinet All Blogs
博客园 - Franky
L
Lohrmann on Cybersecurity
S
Secure Thoughts
量子位
V
Vulnerabilities – Threatpost
Last Week in AI
Last Week in AI
博客园 - 叶小钗
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
L
LINUX DO - 最新话题
I
InfoQ
C
CERT Recently Published Vulnerability Notes
Security Archives - TechRepublic
Security Archives - TechRepublic
P
Proofpoint News Feed
G
GRAHAM CLULEY
Cisco Talos Blog
Cisco Talos Blog

CERT Recently Published Vulnerability Notes

CERT/CC Vulnerability Note VU#326070 CERT/CC Vulnerability Note VU#529388 VU#564823: GNU Wget enables SSRF via unvalidated FTP PASV IPs CERT/CC Vulnerability Note VU#152953 CERT/CC Vulnerability Note VU#734812 CERT/CC Vulnerability Note VU#849433 CERT/CC Vulnerability Note VU#213560 CERT/CC Vulnerability Note VU#828543 CERT/CC Vulnerability Note VU#639124 CERT/CC Vulnerability Note VU#936962 CERT/CC Vulnerability Note VU#226679 CERT/CC Vulnerability Note VU#457458 CERT/CC Vulnerability Note VU#380058 CERT/CC Vulnerability Note VU#862559 CERT/CC Vulnerability Note VU#616257 CERT/CC Vulnerability Note VU#595768 CERT/CC Vulnerability Note VU#615987 CERT/CC Vulnerability Note VU#265691 CERT/CC Vulnerability Note VU#873170 CERT/CC Vulnerability Note VU#158530 CERT/CC Vulnerability Note VU#780781 CERT/CC Vulnerability Note VU#980487 CERT/CC Vulnerability Note VU#777338 CERT/CC Vulnerability Note VU#471747 CERT/CC Vulnerability Note VU#937808 CERT/CC Vulnerability Note VU#260001 CERT/CC Vulnerability Note VU#748485 CERT/CC Vulnerability Note VU#518910 CERT/CC Vulnerability Note VU#890999 CERT/CC Vulnerability Note VU#414811 CERT/CC Vulnerability Note VU#915947 CERT/CC Vulnerability Note VU#536588 CERT/CC Vulnerability Note VU#951662 CERT/CC Vulnerability Note VU#655822 CERT/CC Vulnerability Note VU#221883 CERT/CC Vulnerability Note VU#330121 CERT/CC Vulnerability Note VU#577436 CERT/CC Vulnerability Note VU#624941 CERT/CC Vulnerability Note VU#907705 CERT/CC Vulnerability Note VU#665416 CERT/CC Vulnerability Note VU#976247 CERT/CC Vulnerability Note VU#772695 CERT/CC Vulnerability Note VU#431821 CERT/CC Vulnerability Note VU#504749 CERT/CC Vulnerability Note VU#458422 CERT/CC Vulnerability Note VU#481830
CERT/CC Vulnerability Note VU#725167
2026-07-16 · via CERT Recently Published Vulnerability Notes

Overview

Two distinct cryptographic signature verification vulnerabilities exist in Digital Bazaar node-forge, a widely used JavaScript library implementing cryptographic primitives for Node.js and browser environments. These vulnerabilities allow attackers to forge RSA (PKCS#1 v1.5) and Ed25519 signatures under specific, exploitable conditions.

Description

Both vulnerabilities stem from insufficient enforcement of canonical cryptographic structures during verification: in the RSA case, non-standard ASN.1 encodings and undersized padding are accepted; in the Ed25519 case, non-canonical signature scalars are not rejected. As a result, node-forge accepts signatures that appear valid internally but are rejected by industry-standard libraries such as OpenSSL and Node.js’s native crypto module.

The vulnerabilities affect node-forge versions 0.1.2 through 1.3.3 for RSA-PKCS#1 v1.5, and 0.7.4 through 1.3.3 for Ed25519. Both issues were resolved in v1.4.0, released on 2026-04-05.

CVE-2026-33894 arises in lib/rsa.js, where RSASSA-PKCS1-v1_5 verification accepts forged signatures due to two related flaws. First, the ASN.1 parser for DigestInfo permits non-canonical encodings—specifically, structures with more than the two required fields (algorithm OID and octet string), including attacker-controlled additional data. Second, the PKCS#1 v1.5 decoding logic fails to enforce the RFC 2313 requirement that the padding string (PS) must be at least 8 bytes. These combined weaknesses enable attackers to construct specially crafted signatures, particularly with low public exponents (e.g., e = 3), that node-forge validates successfully while standard implementations correctly reject them.

CVE-2026-33895 resides in lib/ed25519.js, where signature verification does not enforce scalar canonicality as mandated by RFC 8032. The scalar S (last 32 bytes of the signature) is used without ensuring it lies within the valid range [0, L−1], where L is the Ed25519 group order. Consequently, signatures with S′ = S + k·L (e.g., S + L) verify as valid in node-forge, even though canonical implementations such as Node.js crypto and OpenSSL reject them. This undermines assumptions about signature uniqueness and enables substitution attacks in systems relying on strict byte-for-byte signature validity—for instance, audit logs, token binding, or attestation protocols.

Impact

The most immediate concern is integrity: attackers may forge signatures for arbitrary messages in the RSA case or mutate valid Ed25519 signatures in ways that remain accepted by node-forge. Such forgery enables bypassing authentication, code-signing, or session-bound token validations, especially in workflows where node-forge is used as the sole verification engine.

The scope is broad. Any application using node-forge’s default verification APIs—including JOSE libraries like node-jose, certificate tooling from Adobe and Expo, and custom PKI integrations—is potentially affected. Because the vulnerabilities manifest in the default configuration (i.e., no unusual flags or options required), unpatched deployments face exposure without any operator action.

Exploitation is straightforward. Public proofs of concept demonstrate RSA forgery with low-exponent keys and Ed25519 scalar manipulation with minimal effort, and both attacks work over the network against remote endpoints performing verification.

Solution

The vulnerabilities have been fully addressed in node-forge v1.4.0, released on 2026-04-05. This release enforces strict canonical validation: RSA verification now rejects non-canonical DigestInfo structures and enforces PS greater than or equal to 8 bytes of padding, while Ed25519 verification explicitly checks that S < L.

After upgrading, users can verify the fix by running the included test suite, which includes dedicated test cases for both CVEs.

If you maintain downstream packages that depend on node-forge, update your dependency lockfiles and test thoroughly with v1.4.0 before releasing. Even indirect usage through frameworks, build tools, or security plugins may expose your users to risk until the transitive dependency is upgraded.

Mitigations

If immediate upgrade is not possible due to legacy dependencies or indirect usage in transitive dependencies, the following interim measures are recommended:
1. Audit all call sites invoking forge.pki.publicKey.verify(), ed25519.verify(), or JOSE-based verification routes.
2. Where feasible, fall back to Node.js native crypto.verify() for RSA and Ed25519 validation, particularly in high-assurance flows such as code signing or identity assertion.
3. In critical workflows, consider implementing cross-library verification: for instance, compute the signature with node-forge but validate it using the Node.js crypto module as a secondary check.

It is important to note that options such as_parseAllDigestBytes: true do not mitigate these vulnerabilities, as they neither enforce ASN.1 strictness nor padding length. Relying on them may create a false sense of security.

Acknowledgements

This vulnerability was discovered by Austin Chu, Sohee Kim, and Corban Villa, of the University of California, Berkeley, as part of a security research project. This AI-assisted vulnerability note was prepared by Timur Snoke.

Vendor Information

Filter by content: Additional information available

 Sort by:

CVE IDs: CVE-2026-33894 CVE-2026-33895
API URL: VINCE JSON | CSAF
Date Public: 2026-07-15
Date First Published: 2026-07-15
Date Last Updated: 2026-07-15 16:24 UTC
Document Revision: 2