- Node-forge cryptography library flaw (CVE-2025-12816) allowed signature and certificate validation bypass
- CERT-CC warns of risks including bypassing authentication and signed data manipulation
- Maintainers released version 1.3.2; developers are encouraged to update immediately
A popular JavaScript cryptography library is vulnerable in a way that could allow threat actors to break into user accounts. The library has since been updated and users are encouraged to move to the new version as soon as possible.
The flaw was found in the ‘node-forge’ package, a popular cryptography tool that provides functionality for things like encryption, decryption, hashing, digital signatures, TLS/SSL and key generation, all without the need for built-in modules.
The flaw allows an attacker to craft a fake ASN.1 data structure that tricks the library into skipping cryptographic checks and allows signature or certificate validation to be bypassed. It is tracked as CVE-2025-12816 and given a severity rating of 8.6/10 (high). Abstract Syntax Notation One (ASN.1) is a standard format used for encoding data in certificates and cryptographic operations.
Significant impact
Carnegie Mellon CERT-CC also issued a security advisory saying the flaw can be exploited in various ways and could result in bypassing authentication, signed data tampering, or abuse of certificate-related functions.
“In environments where cryptographic verification plays a central role in trust decisions, the potential impact can be significant,” CERT-CC said.
Node.js developers should care because node-forge is a central cryptography library used in countless web apps and services. It is also a hugely popular library with nearly 26 million weekly downloads on the Node Package Manager (npm) registry.
The vulnerability was discovered by cybersecurity researchers from Palo Alto Networks and was responsibly disclosed to node-forge maintainers, who released a fix earlier this week.
The fix brings the library to version 1.3.2, and developers using node-forge are encouraged to switch to the new version as soon as possible. As a general rule of thumb, developers should promptly update cryptography dependencies in Node.js projects, as even widely used, trusted packages can contain critical bugs.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
