Platform
nodejs
Component
node-forge
Fixed in
1.3.0
CVE-2022-24772 is a vulnerability in the node-forge package related to RSA PKCS#1 v1.5 signature verification. Specifically, the code doesn't check for trailing garbage bytes, potentially allowing signature forgery when a low public exponent is used. This issue affects node-forge and has been addressed in version 1.3.0.
CVE-2022-24772 affects the node-forge library, specifically its RSA PKCS#1 v1.5 signature verification code. The vulnerability lies in the lack of validation for trailing garbage bytes after decoding a DigestInfo ASN.1 structure. This allows an attacker to remove padding bytes and add garbage data to forge a signature when a low public exponent is being used. The risk is significant for applications relying on node-forge for secure RSA PKCS#1 v1.5 signature verification, as an attacker could compromise data integrity and transaction authenticity.
Exploitation of this vulnerability requires a deep understanding of ASN.1 structure and the workings of RSA PKCS#1 v1.5 signatures. An attacker would need to intercept or generate an RSA PKCS#1 v1.5 signature, modify the padding to include malicious data, and then present the modified signature for verification. The success of exploitation depends on the specific signature verification implementation and the public exponent used. The complexity of exploitation does not diminish the severity of the vulnerability, as a sufficiently resourced and skilled attacker could leverage it to compromise affected systems.
Exploit Status
EPSS
0.16% (37% percentile)
CVSS Vector
The fix for this vulnerability is to update the node-forge library to version 1.3.0 or higher. This version includes corrections that properly validate garbage bytes after ASN.1 decoding, mitigating the risk of signature forgery. All node-forge users are strongly advised to apply this update as soon as possible. Additionally, review code utilizing node-forge to ensure best security practices are followed and exposure to potential attacks is minimized. The update should be prioritized for critical systems.
Actualice a la versión 1.3.0 o superior de node-forge para corregir la vulnerabilidad. Esta actualización aborda la verificación incorrecta de la firma criptográfica al decodificar estructuras ASN.1, previniendo la falsificación de firmas en ciertos escenarios.
Vulnerability analysis and critical alerts directly to your inbox.
ASN.1 (Abstract Syntax Notation One) is a standard for defining and representing structured data. It's widely used in network protocols and file formats.
PKCS#1 v1.5 is a standard for the format of RSA messages, including signatures and encryption.
Version 1.3.0 fixes the vulnerability by validating garbage bytes, preventing signature forgery.
If immediate updating isn't possible, consider implementing additional mitigation measures, such as validating the source of signatures and using a larger public exponent.
It's important to stay up-to-date with the latest security updates for node-forge and other libraries your application uses.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.