Platform
nodejs
Component
node-forge
Fixed in
1.4.1
1.4.0
CVE-2026-33894 describes a forged signature vulnerability affecting Forge, a JavaScript TLS implementation. This flaw allows attackers to forge signatures, specifically by manipulating the ASN structure to bypass verification, enabling Bleichenbacher-style forgery. This impacts applications relying on Forge for secure communication. The vulnerability affects Forge versions less than 1.4.0 and is resolved in version 1.4.0.
CVE-2026-33894 allows attackers to forge RSASSA PKCS#1 v1.5 signatures when using low public exponent keys (e=3) within the Forge library. This vulnerability stems from the library's flawed signature verification process, which fails to adequately validate the ASN structure. An attacker can craft malicious signatures by strategically inserting “garbage” bytes within the ASN structure, specifically targeting an addition field. This manipulation allows the forged signature to bypass verification, effectively mimicking a legitimate signature. The attack leverages a Bleichenbacher-style forgery technique, similar to CVE-2022-24771, but with a subtle difference in how the malicious bytes are introduced. Successful exploitation could lead to unauthorized transactions, data manipulation, or impersonation, depending on the application utilizing Forge for signature verification. The blast radius extends to any system relying on Forge for secure communication and authentication where RSASSA PKCS#1 v1.5 signatures with a public exponent of 3 are used. Sensitive data, such as financial records, user credentials, or critical system configurations, could be at risk if the forged signature is accepted as valid. The ability to forge signatures undermines the integrity of the entire system relying on the signature verification process.
Currently, there are no publicly available exploitation reports or proof-of-concept (POC) code for CVE-2026-33894, as indicated by the lack of entries in the Known Exploited Vulnerabilities (KEV) database. However, the vulnerability's nature, leveraging a well-understood cryptographic weakness (Bleichenbacher-style forgery), suggests that exploitation is possible. The similarity to CVE-2022-24771, which did have public exploits, increases the likelihood of future exploitation. While no active exploitation is known, the potential for exploitation warrants immediate attention and remediation. The absence of public exploits does not diminish the risk; it simply means that attackers may be developing exploits in private. Given the potential impact and the ease with which this type of forgery can be implemented, organizations should prioritize patching to reduce their exposure.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33894 is to upgrade to Forge version 1.4.0 or later, which includes the necessary fixes to properly validate signatures and prevent the forgery. If upgrading is not immediately feasible, consider disabling the use of RSASSA PKCS#1 v1.5 signatures with a public exponent of 3. Alternatively, implement stricter input validation on the ASN structure to detect and reject malformed signatures. This workaround, however, is less robust than upgrading and requires careful implementation to avoid introducing new vulnerabilities. Ensure that all signature verification logic is thoroughly reviewed and tested after implementing any workaround. Prioritize the upgrade to version 1.4.0 as soon as possible, as it provides the most comprehensive and reliable protection against this vulnerability. After upgrading, perform thorough testing to confirm that the fix has been successfully applied and that the system functions as expected. Verification of the upgrade should include testing with known malicious signature samples to ensure the vulnerability is completely resolved.
Actualice la biblioteca Forge a la versión 1.4.0 o superior. Esta versión corrige la vulnerabilidad de falsificación de firmas RSA-PKCS. Para actualizar, utilice el gestor de paquetes npm: `npm install node-forge@latest`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33894 is a vulnerability in the Forge library that allows attackers to forge RSASSA PKCS#1 v1.5 signatures using low public exponent keys.
You are affected if you are using Forge versions prior to 1.4.0 and rely on RSASSA PKCS#1 v1.5 signatures with a public exponent of 3.
Upgrade to Forge version 1.4.0 or later to resolve this vulnerability.
Currently, there are no publicly known exploits for CVE-2026-33894, but the potential for exploitation exists.
Refer to the National Vulnerability Database (NVD) entry for CVE-2026-33894 for more information.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.