NextGuard
UNKNOWNCVE-2026-33896

Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)

Platform

nodejs

Component

node-forge

Fixed in

1.4.0

View on NVD

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.

How to fix

Actualice la biblioteca Forge a la versión 1.4.0 o superior. Esta versión corrige la vulnerabilidad de omisión de basicConstraints en la verificación de la cadena de certificados. La actualización asegura que se cumplan los requisitos de RFC 5280.

Monitor your dependencies automatically

Get notified when new vulnerabilities affect your projects. Free forever.

Start free