CVE-2025-32029: ts-asn1-der has Incorrect DER Encoding of Numbers Leading to Denial of Service and Incorrect Value Representation

April 7, 2025 (updated April 8, 2025)

Incorrect number DER encoding can lead to denial on service for absolute values in the range 2**31 – 2**32 - 1. The arithmetic in the numBitLen didn’t take into account that values in this range could result in a negative result upon applying the >> operator, leading to an infinite loop.

In addition, number encoding had a few other issues that resulted it in it not encoding values correctly.

References

github.com/ApelegHQ/ts-asn1-der
github.com/ApelegHQ/ts-asn1-der/commit/b2bc9032cbe19755d234a27d79e47a7e52993af8
github.com/ApelegHQ/ts-asn1-der/security/advisories/GHSA-p4qw-7j9g-5h53
github.com/advisories/GHSA-p4qw-7j9g-5h53
nvd.nist.gov/vuln/detail/CVE-2025-32029

Code Behaviors & Features

Detect and mitigate CVE-2025-32029 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →