- Node-forge cryptography library flaw (CVE-2025-12816) allowed signature and certificate validation to be bypassed
- CERT-CC warns of risks including authentication bypass and tampering with signed data
- The maintainers released version 1.3.2; Developers are urged to update immediately
A popular JavaScript cryptography library is vulnerable in a way that could allow threat actors to break into user accounts. The library has since been updated and users are urged to move to the new version as soon as possible.
The bug was found in the ‘node-forge’ package, a popular cryptography tool that provides functions for things like encryption, decryption, hashing, digital signatures, TLS/SSL, and key generation, all without the need for native modules.
The bug allows an attacker to create a fake ASN.1 data structure that tricks the library into bypassing cryptographic checks and allowing certificate signing or validation to be bypassed. It is tracked as CVE-2025-12816 and is assigned a severity score of 8.6/10 (high). Abstract Syntax Notation One (ASN.1) is a standard format used to encode data in certificates and cryptographic operations.
Significant impact
Carnegie Mellon CERT-CC also issued a security advisory, saying that the bug can be abused in different ways and may result in authentication bypass, moderation of signed data, or misuse of certificate-related functions.
“In environments where cryptographic verification plays a central role in trust decisions, the potential impact can be significant,” CERT-CC said.
Node.js developers should care because node-forge is a core cryptography library used in countless applications and web services. It’s also an immensely popular library, with nearly 26 million weekly downloads on the Node Package Manager (npm) log.
The vulnerability was discovered by cybersecurity researchers at Palo Alto Networks and was responsibly disclosed to the node-forge maintainers, who published a fix earlier this week.
The fix brings the library to version 1.3.2 and developers using node-forge are urged to switch to the new version as soon as possible. As a general rule, developers should quickly update cryptographic dependencies in Node.js projects, as even widely used and trusted packages can contain critical flaws.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
