- A flaw in the Node-forge cryptography library (CVE-2025-12816) allowed bypassing certificate signing and validation
- CERT-CC warns of risks including bypassing authentication and tampering with signed data
- Maintainers have released version 1.3.2; developers are advised to update immediately
A popular JavaScript cryptography library is vulnerable in a way that could allow malicious actors to break into user accounts. The library has since been updated and users are encouraged to upgrade to the new version as soon as possible.
The bug was found in the “node-forge” package, a popular crypto tool that provides functions such as encryption, decryption, hashing, digital signatures, TLS/SSL, and key generation, all without the need for native modules.
The bug allows an attacker to create a fake ASN.1 data structure that tricks the library into ignoring cryptographic checks and allowing bypass of certificate signing or validation. It is tracked under CVE-2025-12816 and receives a severity score of 8.6/10 (high). Abstract Syntax Notation One (ASN.1) is a standard format used to encode data in certificates and cryptographic operations.
A significant impact
Carnegie Mellon CERT-CC also published a security advisory, in which it states that the bug can be used in different ways and can lead to authentication bypass, alteration of signed data, or misuse of certificate-related functions.
“In environments where cryptographic verification plays a central role in trust decisions, the potential impact can be significant,” CERT-CC said.
Node.js developers should care about this because node-forge is a core cryptography library used in countless applications and web services. It is also an extremely popular library, with almost 26 million weekly downloads on the Node Package Manager (npm) registry.
The vulnerability was discovered by cybersecurity researchers at Palo Alto Networks and was responsibly disclosed to Node-Forge maintainers, who released a patch earlier this week.
The patch brings the library to version 1.3.2 and developers using node-forge are encouraged to upgrade to the new version as soon as possible. Typically, developers should quickly update cryptography dependencies in Node.js projects because even reliable and widely used packages can contain critical flaws.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
