Platform
nodejs
Component
node-forge
Fixed in
1.3.3
1.3.2
CVE-2025-66030 describes an Integer Overflow vulnerability within the node-forge library, specifically in the asn1.derToOid function. This flaw allows attackers to manipulate ASN.1 structures, potentially bypassing security controls based on Object Identifiers (OIDs). The vulnerability affects versions of node-forge up to and including 1.3.1, and a fix is available in version 1.3.2.
An attacker can exploit this vulnerability by crafting malicious ASN.1 structures containing oversized OIDs. The asn1.derToOid function in node-forge performs a bitwise truncation, causing oversized OIDs to be decoded as smaller, trusted OIDs. This can lead to a bypass of security mechanisms that rely on OID validation, potentially allowing an attacker to impersonate legitimate entities or gain unauthorized access. The impact is particularly severe in applications that use node-forge for cryptographic operations or secure communication, as it could compromise the integrity of the entire system. The truncation effectively allows an attacker to masquerade as a trusted entity by crafting an OID that, after truncation, matches a legitimate, trusted OID.
This CVE was publicly disclosed on 2025-11-26. There is currently no known exploitation in the wild, and no public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is considered low given the lack of public exploits and the relatively niche nature of the node-forge library.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The primary mitigation for CVE-2025-66030 is to upgrade to node-forge version 1.3.2 or later, which contains the fix for the Integer Overflow vulnerability. If upgrading is not immediately feasible, consider implementing input validation to restrict the size of OIDs processed by the asn1.derToOid function. While a direct workaround is difficult without modifying the library, careful review of any ASN.1 parsing logic that uses node-forge is recommended. After upgrading, confirm the fix by attempting to decode a known oversized OID and verifying that it is rejected or handled correctly.
Update the node-forge library to version 1.3.2 or higher. This will correct the integer overflow vulnerability in ASN.1 OID parsing. Run `npm install node-forge@latest` or `yarn add node-forge@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66030 is an Integer Overflow vulnerability in node-forge versions 1.3.1 and below, allowing attackers to bypass security checks by manipulating ASN.1 OIDs.
You are affected if you are using node-forge versions 1.3.1 or earlier. Upgrade to version 1.3.2 or later to resolve the vulnerability.
Upgrade to node-forge version 1.3.2 or later. If upgrading is not possible immediately, consider implementing input validation for OIDs.
As of now, there is no evidence of active exploitation in the wild, and no public proof-of-concept code is available.
Refer to the official node-forge repository and related security advisories for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.