CVE-2025-12816

Description

An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

CVSS Metrics

• v4.0•HIGH•Score: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
• v3.1•HIGH•Score: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

EPSS Trends

Current EPSS score: 0.07%• Percentile: 22%

Techniques & Countermeasures

• CWE-436•Interpretation Conflict

  Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Affected Systems

• digital bazaar•forge

  ≤ 1.3.1

• digital bazaar•node-forge

  ≤ 1.3.1

• digitalbazaar•forge

  ≤ 1.3.1

• Npm•node-forge

  < 1.3.2

References (13)

• https://www.npmjs.com/package/node-forge
• https://github.com/digitalbazaar/forge/pull/1124
• https://github.com/digitalbazaar/forge
• https://kb.cert.org/vuls/id/521113
• https://github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgq
• https://www.kb.cert.org/vuls/id/521113
• https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/asn1.js#L1153
• https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/ed25519.js#L81
• https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pbe.js#L363
• https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs12.js#L328
• https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs7.js#L90
• https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/rsa.js#L1167
• https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/x509.js#L667