- The bug in Node Forge’s cryptographic library (CVE-2025-12816) allowed signature and certificate validation to be bypassed.
- CERT-CC warns of risks such as bypassing authentication and manipulation of signed data
- The admins have released version 1.3.2; Developers are encouraged to update immediately
A popular JavaScript coding library is vulnerable in a way that could allow malicious actors to compromise user accounts. The library has since been updated and users are encouraged to update to the new version as soon as possible.
The flaw was found in the node-forge package, a popular encryption tool that provides functions such as encryption, decryption, hashing, digital signatures, TLS/SSL, and key generation, all without built-in modules.
This flaw allows an attacker to create a fake ASN.1 data structure, causing the library to ignore cryptographic checks and skip signature or certificate validation. It is compared to CVE-2025-12816 and receives a severity rating of 8.6/10 (high). Abstract Syntax Notation One (ASN.1) is a standard format used to encode data in certificates and cryptographic operations.
Significant impact
Carnegie Mellon CERT-CC also issued a security advisory stating that the flaw can be exploited in a variety of ways, leading to bypassing authentication, revoking signed data, or exploiting certificate-related functions.
“In environments where cryptographic verification plays a central role in trust decisions, the potential impact can be significant,” CERT-CC said.
Node.js developers should worry about this because Node-Forge is a central encryption library used in countless applications and web services. It is also an extremely popular library with almost 26 million downloads per week in the Node Package Manager (npm) log.
The vulnerability was discovered by cybersecurity researchers at Palo Alto Networks and dutifully reported to Node Forge administrators, who released a patch earlier this week.
The patch brings the library to version 1.3.2 and developers using Node-Forge are advised to update to the new version as soon as possible. Typically, developers need to quickly update cryptographic dependencies in Node.js projects, as even trusted and commonly used packages can contain critical bugs.
IN BeepTeam