Plateforme
nodejs
Composant
node-forge
Corrigé dans
1.3.3
1.3.2
CVE-2025-66030 describes an Integer Overflow vulnerability within the node-forge library, specifically in the asn1.derToOid function. This flaw allows attackers to manipulate ASN.1 structures, potentially bypassing security controls based on Object Identifiers (OIDs). The vulnerability affects versions of node-forge up to and including 1.3.1, and a fix is available in version 1.3.2.
An attacker can exploit this vulnerability by crafting malicious ASN.1 structures containing oversized OIDs. The asn1.derToOid function in node-forge performs a bitwise truncation, causing oversized OIDs to be decoded as smaller, trusted OIDs. This can lead to a bypass of security mechanisms that rely on OID validation, potentially allowing an attacker to impersonate legitimate entities or gain unauthorized access. The impact is particularly severe in applications that use node-forge for cryptographic operations or secure communication, as it could compromise the integrity of the entire system. The truncation effectively allows an attacker to masquerade as a trusted entity by crafting an OID that, after truncation, matches a legitimate, trusted OID.
This CVE was publicly disclosed on 2025-11-26. There is currently no known exploitation in the wild, and no public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is considered low given the lack of public exploits and the relatively niche nature of the node-forge library.
Applications and services that rely on the node-forge library for ASN.1 parsing, particularly those involved in cryptographic operations or secure communication, are at risk. This includes systems that process certificates, digital signatures, or other data formats that utilize ASN.1 encoding. Projects using older versions of node-forge in their build pipelines are also vulnerable.
• nodejs / supply-chain:
npm list node-forge• nodejs / supply-chain:
npm audit node-forge• nodejs / supply-chain: Check package.json for versions <= 1.3.1 • generic web: Inspect application logs for ASN.1 parsing errors or unexpected OID values.
disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 13%)
CISA SSVC
The primary mitigation for CVE-2025-66030 is to upgrade to node-forge version 1.3.2 or later, which contains the fix for the Integer Overflow vulnerability. If upgrading is not immediately feasible, consider implementing input validation to restrict the size of OIDs processed by the asn1.derToOid function. While a direct workaround is difficult without modifying the library, careful review of any ASN.1 parsing logic that uses node-forge is recommended. After upgrading, confirm the fix by attempting to decode a known oversized OID and verifying that it is rejected or handled correctly.
Actualice la biblioteca node-forge a la versión 1.3.2 o superior. Esto corregirá la vulnerabilidad de desbordamiento de enteros en el análisis de OIDs ASN.1. Ejecute `npm install node-forge@latest` o `yarn add node-forge@latest` para actualizar.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-66030 is an Integer Overflow vulnerability in node-forge versions 1.3.1 and below, allowing attackers to bypass security checks by manipulating ASN.1 OIDs.
You are affected if you are using node-forge versions 1.3.1 or earlier. Upgrade to version 1.3.2 or later to resolve the vulnerability.
Upgrade to node-forge version 1.3.2 or later. If upgrading is not possible immediately, consider implementing input validation for OIDs.
As of now, there is no evidence of active exploitation in the wild, and no public proof-of-concept code is available.
Refer to the official node-forge repository and related security advisories for the most up-to-date information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.