VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-918k-jaua-efcg

Essentials
Severities (18)
References (13)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-918k-jaua-efcg
Aliases	CVE-2022-24771 GHSA-cfm4-qjh2-4765
Summary	Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-347	Improper Verification of Cryptographic Signature
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24771.json
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-24771
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-24771
epss	0.0018	https://api.first.org/data/v1/epss?cve=CVE-2022-24771
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-cfm4-qjh2-4765
cvssv3.1	7.5	https://github.com/digitalbazaar/forge
generic_textual	HIGH	https://github.com/digitalbazaar/forge
cvssv3.1	7.5	https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1
generic_textual	HIGH	https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1
ssvc	Track	https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1
cvssv3.1	7.5	https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2
generic_textual	HIGH	https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2
cvssv3.1	7.5	https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765
cvssv3.1_qr	HIGH	https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765
generic_textual	HIGH	https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765
ssvc	Track	https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2022-24771
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2022-24771

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24771.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-24771
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
		https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2
2067387		https://bugzilla.redhat.com/show_bug.cgi?id=2067387
3f0b49a0573ef1bb7af7f5673c0cfebf00424df1		https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1
CVE-2022-24771		https://nvd.nist.gov/vuln/detail/CVE-2022-24771
GHSA-cfm4-qjh2-4765		https://github.com/advisories/GHSA-cfm4-qjh2-4765
GHSA-cfm4-qjh2-4765		https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765
RHSA-2022:1739		https://access.redhat.com/errata/RHSA-2022:1739
RHSA-2022:6156		https://access.redhat.com/errata/RHSA-2022:6156
RHSA-2022:6813		https://access.redhat.com/errata/RHSA-2022:6813
RHSA-2022:6835		https://access.redhat.com/errata/RHSA-2022:6835

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24771.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/digitalbazaar/forge

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:40Z/ Found at https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:56:40Z/ Found at https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-24771

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.39389
EPSS Score	0.0018
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:41:17.039910+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2022/24xxx/CVE-2022-24771.json	38.6.0