{"url":"http://public2.vulnerablecode.io/api/packages/532120?format=json","purl":"pkg:npm/node-forge@0.2.25","type":"npm","namespace":"","name":"node-forge","version":"0.2.25","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.4.0","latest_non_vulnerable_version":"1.4.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207276?format=json","vulnerability_id":"VCID-4ax1-dngv-dfed","summary":"Prototype Pollution in node-forge debug API.","references":[{"reference_url":"https://github.com/advisories/GHSA-5rrq-pxf6-6jx5","reference_id":"GHSA-5rrq-pxf6-6jx5","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5rrq-pxf6-6jx5"},{"reference_url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-5rrq-pxf6-6jx5","reference_id":"GHSA-5rrq-pxf6-6jx5","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-5rrq-pxf6-6jx5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18618?format=json","purl":"pkg:npm/node-forge@1.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64cy-gjgm-d3b1"},{"vulnerability":"VCID-6vg2-h2n1-1ubp"},{"vulnerability":"VCID-918k-jaua-efcg"},{"vulnerability":"VCID-jeym-9d7x-dqgp"},{"vulnerability":"VCID-jzq5-zkxm-kka3"},{"vulnerability":"VCID-pc81-tj49-j3fs"},{"vulnerability":"VCID-rass-mdkt-27e6"},{"vulnerability":"VCID-rmdy-g122-rkba"},{"vulnerability":"VCID-ytae-c7vj-f7ga"},{"vulnerability":"VCID-z7tw-mtdc-wfd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@1.0.0"}],"aliases":["GHSA-5rrq-pxf6-6jx5","GMS-2022-66"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4ax1-dngv-dfed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22532?format=json","vulnerability_id":"VCID-64cy-gjgm-d3b1","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12816.json","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-12816.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12816","reference_id":"","reference_type":"","scores":[{"value":"0.00071","scoring_system":"epss","scoring_elements":"0.2202","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00071","scoring_system":"epss","scoring_elements":"0.21831","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-12816"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12816","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12816"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/asn1.js#L1153","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/asn1.js#L1153"},{"reference_url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/ed25519.js#L81","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/ed25519.js#L81"},{"reference_url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pbe.js#L363","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pbe.js#L363"},{"reference_url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs12.js#L328","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs12.js#L328"},{"reference_url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs7.js#L90","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs7.js#L90"},{"reference_url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/rsa.js#L1167","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/rsa.js#L1167"},{"reference_url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/x509.js#L667","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/x509.js#L667"},{"reference_url":"https://www.kb.cert.org/vuls/id/521113","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.kb.cert.org/vuls/id/521113"},{"reference_url":"https://github.com/digitalbazaar/forge/pull/1124","reference_id":"1124","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-25T20:21:37Z/"}],"url":"https://github.com/digitalbazaar/forge/pull/1124"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2417097","reference_id":"2417097","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2417097"},{"reference_url":"https://kb.cert.org/vuls/id/521113","reference_id":"521113","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-25T20:21:37Z/"}],"url":"https://kb.cert.org/vuls/id/521113"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12816","reference_id":"CVE-2025-12816","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12816"},{"reference_url":"https://github.com/digitalbazaar/forge","reference_id":"forge","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-25T20:21:37Z/"}],"url":"https://github.com/digitalbazaar/forge"},{"reference_url":"https://github.com/advisories/GHSA-5gfm-wpxj-wjgq","reference_id":"GHSA-5gfm-wpxj-wjgq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5gfm-wpxj-wjgq"},{"reference_url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgq","reference_id":"GHSA-5gfm-wpxj-wjgq","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-25T20:21:37Z/"}],"url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgq"},{"reference_url":"https://www.npmjs.com/package/node-forge","reference_id":"node-forge","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-25T20:21:37Z/"}],"url":"https://www.npmjs.com/package/node-forge"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22936","reference_id":"RHSA-2025:22936","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22936"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22937","reference_id":"RHSA-2025:22937","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22937"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22938","reference_id":"RHSA-2025:22938","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22938"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22941","reference_id":"RHSA-2025:22941","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22941"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:0261","reference_id":"RHSA-2026:0261","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:0261"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:0414","reference_id":"RHSA-2026:0414","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:0414"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:0518","reference_id":"RHSA-2026:0518","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:0518"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1248","reference_id":"RHSA-2026:1248","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1248"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1517","reference_id":"RHSA-2026:1517","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1517"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1730","reference_id":"RHSA-2026:1730","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1730"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1942","reference_id":"RHSA-2026:1942","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1942"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:20041","reference_id":"RHSA-2026:20041","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:20041"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2106","reference_id":"RHSA-2026:2106","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2106"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2256","reference_id":"RHSA-2026:2256","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2256"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2350","reference_id":"RHSA-2026:2350","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2350"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2456","reference_id":"RHSA-2026:2456","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2456"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2500","reference_id":"RHSA-2026:2500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2568","reference_id":"RHSA-2026:2568","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2568"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2695","reference_id":"RHSA-2026:2695","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2695"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2737","reference_id":"RHSA-2026:2737","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2737"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2754","reference_id":"RHSA-2026:2754","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2754"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2762","reference_id":"RHSA-2026:2762","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2762"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2900","reference_id":"RHSA-2026:2900","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2900"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3710","reference_id":"RHSA-2026:3710","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3710"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3712","reference_id":"RHSA-2026:3712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3712"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3713","reference_id":"RHSA-2026:3713","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3713"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3825","reference_id":"RHSA-2026:3825","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3825"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3869","reference_id":"RHSA-2026:3869","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3869"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3874","reference_id":"RHSA-2026:3874","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3874"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4185","reference_id":"RHSA-2026:4185","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4185"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4215","reference_id":"RHSA-2026:4215","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4215"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35499?format=json","purl":"pkg:npm/node-forge@1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6vg2-h2n1-1ubp"},{"vulnerability":"VCID-jzq5-zkxm-kka3"},{"vulnerability":"VCID-pc81-tj49-j3fs"},{"vulnerability":"VCID-z7tw-mtdc-wfd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@1.3.2"}],"aliases":["CVE-2025-12816","GHSA-5gfm-wpxj-wjgq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-64cy-gjgm-d3b1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77734?format=json","vulnerability_id":"VCID-6vg2-h2n1-1ubp","summary":"Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signature and its `S + L` variant both verify in forge, while Node.js `crypto.verify` (OpenSSL-backed) rejects the `S + L` variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33895.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33895.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33895","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13447","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13338","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33895"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25793","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25793"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33895","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33895"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452457","reference_id":"2452457","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452457"},{"reference_url":"https://github.com/digitalbazaar/forge/commit/bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85","reference_id":"bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:39:49Z/"}],"url":"https://github.com/digitalbazaar/forge/commit/bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35961","reference_id":"CVE-2022-35961","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35961"},{"reference_url":"https://github.com/advisories/GHSA-q67f-28xg-22rw","reference_id":"GHSA-q67f-28xg-22rw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q67f-28xg-22rw"},{"reference_url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-q67f-28xg-22rw","reference_id":"GHSA-q67f-28xg-22rw","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:39:49Z/"}],"url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-q67f-28xg-22rw"},{"reference_url":"https://datatracker.ietf.org/doc/html/rfc8032#section-8.4","reference_id":"rfc8032#section-8.4","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:39:49Z/"}],"url":"https://datatracker.ietf.org/doc/html/rfc8032#section-8.4"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13826","reference_id":"RHSA-2026:13826","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13826"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:24761","reference_id":"RHSA-2026:24761","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:24761"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9742","reference_id":"RHSA-2026:9742","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9742"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374510?format=json","purl":"pkg:npm/node-forge@1.4.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@1.4.0"}],"aliases":["CVE-2026-33895","GHSA-q67f-28xg-22rw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6vg2-h2n1-1ubp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/173395?format=json","vulnerability_id":"VCID-918k-jaua-efcg","summary":"Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24771.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24771.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24771","reference_id":"","reference_type":"","scores":[{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.3956","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0018","scoring_system":"epss","scoring_elements":"0.39389","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24771"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771"},{"reference_url":"https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2067387","reference_id":"2067387","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2067387"},{"reference_url":"https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1","reference_id":"3f0b49a0573ef1bb7af7f5673c0cfebf00424df1","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:40Z/"}],"url":"https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24771","reference_id":"CVE-2022-24771","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24771"},{"reference_url":"https://github.com/advisories/GHSA-cfm4-qjh2-4765","reference_id":"GHSA-cfm4-qjh2-4765","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cfm4-qjh2-4765"},{"reference_url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765","reference_id":"GHSA-cfm4-qjh2-4765","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:40Z/"}],"url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1739","reference_id":"RHSA-2022:1739","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1739"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6156","reference_id":"RHSA-2022:6156","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6156"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6813","reference_id":"RHSA-2022:6813","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6813"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6835","reference_id":"RHSA-2022:6835","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6835"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19803?format=json","purl":"pkg:npm/node-forge@1.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64cy-gjgm-d3b1"},{"vulnerability":"VCID-6vg2-h2n1-1ubp"},{"vulnerability":"VCID-jeym-9d7x-dqgp"},{"vulnerability":"VCID-jzq5-zkxm-kka3"},{"vulnerability":"VCID-pc81-tj49-j3fs"},{"vulnerability":"VCID-rmdy-g122-rkba"},{"vulnerability":"VCID-z7tw-mtdc-wfd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@1.3.0"}],"aliases":["CVE-2022-24771","GHSA-cfm4-qjh2-4765"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-918k-jaua-efcg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207482?format=json","vulnerability_id":"VCID-9jed-5rk2-fuha","summary":"Open Redirect in node-forge","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0122","reference_id":"","reference_type":"","scores":[{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.55114","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54992","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0122"},{"reference_url":"https://github.com/digitalbazaar/forge/commit/db8016c805371e72b06d8e2edfe0ace0df934a5e","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/commit/db8016c805371e72b06d8e2edfe0ace0df934a5e"},{"reference_url":"https://huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0122","reference_id":"CVE-2022-0122","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0122"},{"reference_url":"https://github.com/advisories/GHSA-8fr3-hfg3-gpgp","reference_id":"GHSA-8fr3-hfg3-gpgp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8fr3-hfg3-gpgp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18618?format=json","purl":"pkg:npm/node-forge@1.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64cy-gjgm-d3b1"},{"vulnerability":"VCID-6vg2-h2n1-1ubp"},{"vulnerability":"VCID-918k-jaua-efcg"},{"vulnerability":"VCID-jeym-9d7x-dqgp"},{"vulnerability":"VCID-jzq5-zkxm-kka3"},{"vulnerability":"VCID-pc81-tj49-j3fs"},{"vulnerability":"VCID-rass-mdkt-27e6"},{"vulnerability":"VCID-rmdy-g122-rkba"},{"vulnerability":"VCID-ytae-c7vj-f7ga"},{"vulnerability":"VCID-z7tw-mtdc-wfd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@1.0.0"}],"aliases":["CVE-2022-0122","GHSA-8fr3-hfg3-gpgp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9jed-5rk2-fuha"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207272?format=json","vulnerability_id":"VCID-euc2-gvgf-wuc6","summary":"URL parsing in node-forge could lead to undesired behavior.","references":[{"reference_url":"https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0122","reference_id":"CVE-2022-0122","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0122"},{"reference_url":"https://github.com/advisories/GHSA-gf8q-jrpm-jvxq","reference_id":"GHSA-gf8q-jrpm-jvxq","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gf8q-jrpm-jvxq"},{"reference_url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-gf8q-jrpm-jvxq","reference_id":"GHSA-gf8q-jrpm-jvxq","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-gf8q-jrpm-jvxq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18618?format=json","purl":"pkg:npm/node-forge@1.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64cy-gjgm-d3b1"},{"vulnerability":"VCID-6vg2-h2n1-1ubp"},{"vulnerability":"VCID-918k-jaua-efcg"},{"vulnerability":"VCID-jeym-9d7x-dqgp"},{"vulnerability":"VCID-jzq5-zkxm-kka3"},{"vulnerability":"VCID-pc81-tj49-j3fs"},{"vulnerability":"VCID-rass-mdkt-27e6"},{"vulnerability":"VCID-rmdy-g122-rkba"},{"vulnerability":"VCID-ytae-c7vj-f7ga"},{"vulnerability":"VCID-z7tw-mtdc-wfd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@1.0.0"}],"aliases":["GHSA-gf8q-jrpm-jvxq","GMS-2022-67"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-euc2-gvgf-wuc6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/94932?format=json","vulnerability_id":"VCID-jeym-9d7x-dqgp","summary":"Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66030.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66030.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66030","reference_id":"","reference_type":"","scores":[{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22627","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22431","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66030"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66030","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66030"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2417384","reference_id":"2417384","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2417384"},{"reference_url":"https://github.com/digitalbazaar/forge/commit/3e0c35ace169cfca529a3e547a7848dc7bf57fdb","reference_id":"3e0c35ace169cfca529a3e547a7848dc7bf57fdb","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-28T18:24:09Z/"}],"url":"https://github.com/digitalbazaar/forge/commit/3e0c35ace169cfca529a3e547a7848dc7bf57fdb"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66030","reference_id":"CVE-2025-66030","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66030"},{"reference_url":"https://github.com/advisories/GHSA-65ch-62r8-g69g","reference_id":"GHSA-65ch-62r8-g69g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-65ch-62r8-g69g"},{"reference_url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-65ch-62r8-g69g","reference_id":"GHSA-65ch-62r8-g69g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-28T18:24:09Z/"}],"url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-65ch-62r8-g69g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35499?format=json","purl":"pkg:npm/node-forge@1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6vg2-h2n1-1ubp"},{"vulnerability":"VCID-jzq5-zkxm-kka3"},{"vulnerability":"VCID-pc81-tj49-j3fs"},{"vulnerability":"VCID-z7tw-mtdc-wfd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@1.3.2"}],"aliases":["CVE-2025-66030","GHSA-65ch-62r8-g69g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jeym-9d7x-dqgp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77927?format=json","vulnerability_id":"VCID-jzq5-zkxm-kka3","summary":"Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33896.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33896.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33896","reference_id":"","reference_type":"","scores":[{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10635","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10694","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33896"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33896","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33896"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452458","reference_id":"2452458","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452458"},{"reference_url":"https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90","reference_id":"2e492832fb25227e6b647cbe1ac981c123171e90","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T18:53:46Z/"}],"url":"https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90"},{"reference_url":"https://github.com/advisories/GHSA-2328-f5f3-gj25","reference_id":"GHSA-2328-f5f3-gj25","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2328-f5f3-gj25"},{"reference_url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25","reference_id":"GHSA-2328-f5f3-gj25","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T18:53:46Z/"}],"url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13826","reference_id":"RHSA-2026:13826","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13826"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:24761","reference_id":"RHSA-2026:24761","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:24761"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9742","reference_id":"RHSA-2026:9742","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9742"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374510?format=json","purl":"pkg:npm/node-forge@1.4.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@1.4.0"}],"aliases":["CVE-2026-33896","GHSA-2328-f5f3-gj25"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jzq5-zkxm-kka3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77884?format=json","vulnerability_id":"VCID-pc81-tj49-j3fs","summary":"Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it.  Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33894.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33894.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33894","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11896","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11812","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33894"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33894","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33894"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452464","reference_id":"2452464","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452464"},{"reference_url":"https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE","reference_id":"5rnE9ZRN1AokBVj3VqblGlP63QE","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:04:30Z/"}],"url":"https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE"},{"reference_url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765","reference_id":"GHSA-cfm4-qjh2-4765","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765"},{"reference_url":"https://github.com/advisories/GHSA-ppp5-5v6c-4jwp","reference_id":"GHSA-ppp5-5v6c-4jwp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ppp5-5v6c-4jwp"},{"reference_url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp","reference_id":"GHSA-ppp5-5v6c-4jwp","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:04:30Z/"}],"url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp"},{"reference_url":"https://datatracker.ietf.org/doc/html/rfc2313#section-8","reference_id":"rfc2313#section-8","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:04:30Z/"}],"url":"https://datatracker.ietf.org/doc/html/rfc2313#section-8"},{"reference_url":"https://www.rfc-editor.org/rfc/rfc8017.html","reference_id":"rfc8017.html","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:04:30Z/"}],"url":"https://www.rfc-editor.org/rfc/rfc8017.html"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13826","reference_id":"RHSA-2026:13826","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13826"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19375","reference_id":"RHSA-2026:19375","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19375"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:21017","reference_id":"RHSA-2026:21017","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:21017"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:22465","reference_id":"RHSA-2026:22465","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:22465"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:22629","reference_id":"RHSA-2026:22629","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:22629"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:22840","reference_id":"RHSA-2026:22840","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:22840"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:23361","reference_id":"RHSA-2026:23361","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:23361"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:24761","reference_id":"RHSA-2026:24761","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:24761"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:24853","reference_id":"RHSA-2026:24853","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:24853"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9742","reference_id":"RHSA-2026:9742","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9742"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374510?format=json","purl":"pkg:npm/node-forge@1.4.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@1.4.0"}],"aliases":["CVE-2026-33894","GHSA-ppp5-5v6c-4jwp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pc81-tj49-j3fs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208557?format=json","vulnerability_id":"VCID-rass-mdkt-27e6","summary":"Improper Verification of Cryptographic Signature in `node-forge`","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24773.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24773.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24773","reference_id":"","reference_type":"","scores":[{"value":"0.00133","scoring_system":"epss","scoring_elements":"0.3258","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00133","scoring_system":"epss","scoring_elements":"0.32399","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24773"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773"},{"reference_url":"https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2067461","reference_id":"2067461","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2067461"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24773","reference_id":"CVE-2022-24773","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24773"},{"reference_url":"https://github.com/advisories/GHSA-2r2c-g63r-vccr","reference_id":"GHSA-2r2c-g63r-vccr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2r2c-g63r-vccr"},{"reference_url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr","reference_id":"GHSA-2r2c-g63r-vccr","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1739","reference_id":"RHSA-2022:1739","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1739"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6156","reference_id":"RHSA-2022:6156","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6156"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6835","reference_id":"RHSA-2022:6835","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6835"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19803?format=json","purl":"pkg:npm/node-forge@1.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64cy-gjgm-d3b1"},{"vulnerability":"VCID-6vg2-h2n1-1ubp"},{"vulnerability":"VCID-jeym-9d7x-dqgp"},{"vulnerability":"VCID-jzq5-zkxm-kka3"},{"vulnerability":"VCID-pc81-tj49-j3fs"},{"vulnerability":"VCID-rmdy-g122-rkba"},{"vulnerability":"VCID-z7tw-mtdc-wfd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@1.3.0"}],"aliases":["CVE-2022-24773","GHSA-2r2c-g63r-vccr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rass-mdkt-27e6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/94928?format=json","vulnerability_id":"VCID-rmdy-g122-rkba","summary":"Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66031.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66031.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66031","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.18107","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.1795","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66031"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66031","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66031"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2417397","reference_id":"2417397","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2417397"},{"reference_url":"https://github.com/digitalbazaar/forge/commit/260425c6167a38aae038697132483b5517b26451","reference_id":"260425c6167a38aae038697132483b5517b26451","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-28T18:26:11Z/"}],"url":"https://github.com/digitalbazaar/forge/commit/260425c6167a38aae038697132483b5517b26451"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66031","reference_id":"CVE-2025-66031","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66031"},{"reference_url":"https://github.com/advisories/GHSA-554w-wpv2-vw27","reference_id":"GHSA-554w-wpv2-vw27","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-554w-wpv2-vw27"},{"reference_url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27","reference_id":"GHSA-554w-wpv2-vw27","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-11-28T18:26:11Z/"}],"url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22861","reference_id":"RHSA-2025:22861","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22861"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22936","reference_id":"RHSA-2025:22936","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22936"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22937","reference_id":"RHSA-2025:22937","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22937"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22938","reference_id":"RHSA-2025:22938","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22938"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22941","reference_id":"RHSA-2025:22941","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22941"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:0261","reference_id":"RHSA-2026:0261","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:0261"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:0414","reference_id":"RHSA-2026:0414","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:0414"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:0518","reference_id":"RHSA-2026:0518","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:0518"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1248","reference_id":"RHSA-2026:1248","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1248"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1517","reference_id":"RHSA-2026:1517","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1517"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1596","reference_id":"RHSA-2026:1596","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1596"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1730","reference_id":"RHSA-2026:1730","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1730"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:20041","reference_id":"RHSA-2026:20041","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:20041"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2350","reference_id":"RHSA-2026:2350","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2350"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2456","reference_id":"RHSA-2026:2456","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2456"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2568","reference_id":"RHSA-2026:2568","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2568"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2737","reference_id":"RHSA-2026:2737","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2737"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2754","reference_id":"RHSA-2026:2754","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2754"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2762","reference_id":"RHSA-2026:2762","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2762"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2900","reference_id":"RHSA-2026:2900","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2900"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3710","reference_id":"RHSA-2026:3710","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3710"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3712","reference_id":"RHSA-2026:3712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3712"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3713","reference_id":"RHSA-2026:3713","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3713"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:3874","reference_id":"RHSA-2026:3874","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:3874"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5807","reference_id":"RHSA-2026:5807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5807"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35499?format=json","purl":"pkg:npm/node-forge@1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6vg2-h2n1-1ubp"},{"vulnerability":"VCID-jzq5-zkxm-kka3"},{"vulnerability":"VCID-pc81-tj49-j3fs"},{"vulnerability":"VCID-z7tw-mtdc-wfd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@1.3.2"}],"aliases":["CVE-2025-66031","GHSA-554w-wpv2-vw27"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rmdy-g122-rkba"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208556?format=json","vulnerability_id":"VCID-ytae-c7vj-f7ga","summary":"Improper Verification of Cryptographic Signature in node-forge","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24772.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24772.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24772","reference_id":"","reference_type":"","scores":[{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34645","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34468","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24772"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772"},{"reference_url":"https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2067458","reference_id":"2067458","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2067458"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24772","reference_id":"CVE-2022-24772","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24772"},{"reference_url":"https://github.com/advisories/GHSA-x4jg-mjrx-434g","reference_id":"GHSA-x4jg-mjrx-434g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x4jg-mjrx-434g"},{"reference_url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g","reference_id":"GHSA-x4jg-mjrx-434g","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1739","reference_id":"RHSA-2022:1739","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1739"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6156","reference_id":"RHSA-2022:6156","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6156"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6813","reference_id":"RHSA-2022:6813","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6813"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6835","reference_id":"RHSA-2022:6835","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6835"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19803?format=json","purl":"pkg:npm/node-forge@1.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-64cy-gjgm-d3b1"},{"vulnerability":"VCID-6vg2-h2n1-1ubp"},{"vulnerability":"VCID-jeym-9d7x-dqgp"},{"vulnerability":"VCID-jzq5-zkxm-kka3"},{"vulnerability":"VCID-pc81-tj49-j3fs"},{"vulnerability":"VCID-rmdy-g122-rkba"},{"vulnerability":"VCID-z7tw-mtdc-wfd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@1.3.0"}],"aliases":["CVE-2022-24772","GHSA-x4jg-mjrx-434g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ytae-c7vj-f7ga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77972?format=json","vulnerability_id":"VCID-z7tw-mtdc-wfd3","summary":"Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33891.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33891.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33891","reference_id":"","reference_type":"","scores":[{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.23769","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00081","scoring_system":"epss","scoring_elements":"0.23965","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33891"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33891","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33891"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452450","reference_id":"2452450","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452450"},{"reference_url":"https://github.com/digitalbazaar/forge/commit/9bb8d67b99d17e4ebb5fd7596cd699e11f25d023","reference_id":"9bb8d67b99d17e4ebb5fd7596cd699e11f25d023","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:38:00Z/"}],"url":"https://github.com/digitalbazaar/forge/commit/9bb8d67b99d17e4ebb5fd7596cd699e11f25d023"},{"reference_url":"https://github.com/advisories/GHSA-5m6q-g25r-mvwx","reference_id":"GHSA-5m6q-g25r-mvwx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5m6q-g25r-mvwx"},{"reference_url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx","reference_id":"GHSA-5m6q-g25r-mvwx","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:38:00Z/"}],"url":"https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13826","reference_id":"RHSA-2026:13826","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13826"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:24761","reference_id":"RHSA-2026:24761","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:24761"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:24762","reference_id":"RHSA-2026:24762","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:24762"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:9742","reference_id":"RHSA-2026:9742","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:9742"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374510?format=json","purl":"pkg:npm/node-forge@1.4.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@1.4.0"}],"aliases":["CVE-2026-33891","GHSA-5m6q-g25r-mvwx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z7tw-mtdc-wfd3"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/node-forge@0.2.25"}