CVE-2025-12816: node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
CVE-2025-12816 has been reserved by CERT/CC
Description An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
References
- github.com/advisories/GHSA-5gfm-wpxj-wjgq
- github.com/digitalbazaar/forge
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/asn1.js
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/ed25519.js
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pbe.js
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs12.js
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs7.js
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/rsa.js
- github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/x509.js
- github.com/digitalbazaar/forge/pull/1124
- github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgq
- kb.cert.org/vuls/id/521113
- nvd.nist.gov/vuln/detail/CVE-2025-12816
- www.kb.cert.org/vuls/id/521113
- www.npmjs.com/package/node-forge
Code Behaviors & Features
Detect and mitigate CVE-2025-12816 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →