Platform
nodejs
Component
node-forge
Fixed in
1.3.3
1.3.2
A Denial-of-Service (DoS) vulnerability exists in the node-forge library, specifically within the asn1.fromDer function of the ASN.1 DER parser. This vulnerability, classified as Uncontrolled Recursion (CWE-674), allows remote, unauthenticated attackers to craft malicious ASN.1 structures that cause excessive recursion. Affected versions include those prior to 1.3.2; upgrading to the patched version resolves the issue.
The vulnerability stems from a lack of recursion depth limits within the _fromDer function when parsing ASN.1 DER data. An attacker can exploit this by providing a specially crafted DER input containing deeply nested SEQUENCE or SET structures. This forces the parser to recursively process each nested element, rapidly consuming stack memory. Eventually, this leads to a stack overflow and a denial-of-service condition, crashing the application or Node.js process handling the ASN.1 data. The blast radius extends to any application relying on node-forge for ASN.1 parsing, particularly those processing untrusted external data. While no direct data exfiltration is possible, the DoS can disrupt service availability and potentially be used as a distraction for other attacks.
This vulnerability was publicly disclosed on 2025-11-26. There is no indication of it being added to the CISA KEV catalog at this time. No public proof-of-concept (PoC) exploits have been identified as of the disclosure date, but the nature of the vulnerability makes it relatively straightforward to exploit, increasing the likelihood of PoCs emerging. The vulnerability's reliance on crafting specific ASN.1 structures suggests a moderate level of attacker skill is required.
Exploit Status
EPSS
0.11% (30% percentile)
CISA SSVC
The primary mitigation is to upgrade to node-forge version 1.3.2 or later, which includes the necessary recursion depth limit. If upgrading is not immediately feasible, consider implementing input validation to restrict the complexity of ASN.1 structures processed by the application. Specifically, limit the nesting depth of SEQUENCE and SET elements. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to detect and block requests containing unusually large or deeply nested ASN.1 structures. No specific Sigma or YARA rules are readily available for this vulnerability, but monitoring for excessive memory consumption or stack overflows during ASN.1 parsing is recommended.
Update the node-forge library to version 1.3.2 or higher. This will fix the uncontrolled recursion vulnerability. You can update using npm with the command `npm install node-forge@latest`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66031 is a Denial-of-Service vulnerability in the node-forge library's ASN.1 parser. Malicious ASN.1 structures can trigger unbounded recursion, leading to a crash.
You are affected if you are using node-forge versions 1.3.1 or earlier. Upgrade to 1.3.2 or later to resolve the vulnerability.
Upgrade to node-forge version 1.3.2 or later. If immediate upgrade is not possible, implement input validation to limit ASN.1 structure complexity.
There is currently no confirmed active exploitation, but the vulnerability is relatively easy to exploit and PoCs are likely to emerge.
Refer to the node-forge project's repository and release notes for the latest advisory and information regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.