Forge Unbounded Recursion Vulnerability

HIGH (7.5) Partial Fix Patch

cwe-674 asn1 dos javascript node-forge npm recursion vulnerability

Threat Intelligence

Medium Risk - Detectable

EPSS Score: 0.10% chance of exploitation (percentile: 29%)

🔍 Detection Tools: OSV.dev

⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Forge is a native JavaScript implementation of Transport Layer Security. It's used by Node.js to establish secure connections. This vulnerability allows attackers to craft malicious ASN.1 structures that trigger uncontrolled recursion in the parser, leading to a Denial-of-Service (DoS) via stack exhaustion.

Am I affected?

Affected versions: 1.3.1

Affected Packages

npm: node-forge

Affected Products

digitalbazaar / forge

How to fix

Upgrade to node-forge version 1.3.2 or later.
Maven: Update your pom.xml dependency version
If you can't upgrade immediately:
- Set forge.asn1.fromDer to false as a Node.js flag
- Remove the asn1.fromDer function from your codebase.