Plattform
nodejs
Komponente
node-forge
Behoben in
1.3.3
1.3.2
CVE-2025-66031 describes a Denial-of-Service (DoS) vulnerability in node-forge versions 1.3.1 and earlier. This flaw arises from uncontrolled recursion within the ASN.1 DER parser, allowing attackers to craft deep ASN.1 structures that exhaust system resources and lead to a crash. The vulnerability has a CVSS score of 7.5 (HIGH) and has been addressed in version 1.3.2.
Successful exploitation of CVE-2025-66031 allows an attacker to cause a denial-of-service condition on systems running vulnerable versions of node-forge. By providing a specially crafted DER-encoded ASN.1 input, the attacker can trigger unbounded recursive parsing, leading to stack exhaustion and ultimately crashing the application. This can disrupt services, prevent legitimate users from accessing resources, and potentially lead to system instability. The impact is particularly severe in environments where node-forge is used to process untrusted ASN.1 data.
CVE-2025-66031 was published on 2025-11-26. The vulnerability's severity is rated as HIGH (CVSS 7.5). Public proof-of-concept (POC) exploits may be available, increasing the risk of exploitation. Monitor security advisories and threat intelligence feeds for any updates regarding active campaigns targeting this vulnerability. The EPSS score is likely medium, given the availability of a fix and the complexity of crafting a malicious ASN.1 structure.
Applications and services utilizing the node-forge library for ASN.1 parsing, particularly those processing untrusted external data such as certificates or cryptographic keys, are at risk. This includes systems integrating with X.509 certificate authorities or other protocols relying on ASN.1 data structures.
• nodejs / server:
ps aux | grep asn1.fromDer | grep -v grep• nodejs / server:
journalctl -u nodejs | grep asn1.fromDer• generic web: Monitor Node.js application logs for errors related to stack overflows or excessive memory usage during ASN.1 parsing. Look for patterns indicating unusually large or deeply nested ASN.1 structures in request payloads.
disclosure
Exploit-Status
EPSS
0.11% (30% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-66031 is to upgrade to node-forge version 1.3.2 or later. If upgrading is not immediately feasible, implement input validation to limit the depth of ASN.1 structures processed by the asn1.fromDer function. Consider using a different ASN.1 parsing library that implements more robust recursion limits. Monitor system resources (CPU, memory, stack usage) for signs of excessive ASN.1 parsing activity. After upgrading, verify the fix by attempting to parse a deep ASN.1 structure; it should be handled without causing a crash.
Actualice la biblioteca node-forge a la versión 1.3.2 o superior. Esto solucionará la vulnerabilidad de recursión no controlada. Puede actualizar usando npm con el comando `npm install node-forge@latest`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-66031 is a Denial-of-Service vulnerability in the node-forge library's ASN.1 parser. Malicious ASN.1 structures can trigger unbounded recursion, leading to a crash.
You are affected if you are using node-forge versions 1.3.1 or earlier. Upgrade to 1.3.2 or later to resolve the vulnerability.
Upgrade to node-forge version 1.3.2 or later. If immediate upgrade is not possible, implement input validation to limit ASN.1 structure complexity.
There is currently no confirmed active exploitation, but the vulnerability is relatively easy to exploit and PoCs are likely to emerge.
Refer to the node-forge project's repository and release notes for the latest advisory and information regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.