CISA issues alert on Forge JavaScript library signature verification vulnerability

The Forge JavaScript cryptographic library, which supports Transport Layer Security (TLS) utilities, contains a vulnerability that permits bypassing signature verification by manipulating Autonomous System Number (ASN).1 structures such as Message Authentication Code (MAC) data. This flaw impacts the node-forge package, and users are advised to apply available updates promptly.

The vulnerability is indexed as CVE-2025-12816 and affects Forge versions prior to 1.3.2. It resides in the asn1.validate function responsible for parsing and validating ASN.1 data, a core component used for operations including certificate generation, message signing, verification, encryption, and decryption. The flaw enables attackers to craft ASN.1 data with embedded custom options in recursively verified fields that bypass validation checks despite cryptographic inconsistencies. Demonstrations included manipulated PKCS#12 Monitoring-as-Code (MaC) data successfully circumventing signature checks. The verification bypass spans cryptographic protocols processed through ASN.1, such as X.509 certificates, PKCS#7 messages, and PKCS#12 archives.

Exploitation allows attackers who control ASN.1 input to deceive applications relying on Forge's validation into accepting tampered or forged data. This could facilitate bypassing authentication processes, altering signed data, or abusing cryptographic functions like those involved in software signature verification. The advisory notes that impact will vary across environments but that the vulnerability undermines the integrity of cryptographic verification where it is critical.

A remedial version, Forge 1.3.2, has been released containing fixes for the vulnerability along with enhanced test cases located in tests/security/cve-2025-12816.js to demonstrate proper validation behavior. Developers and projects consuming node-forge are instructed to update to this patched version through established deployment and distribution methods. The fix is documented in Pull Request #1124 on the official Forge GitHub repository.

The advisory recognizes Hunter Wodzenski of Palo Alto Networks as the researcher who reported the issue responsibly. The bulletin was compiled by Vijay Sarvepalli. Users should refer to official vendor sources for the latest information and updates regarding this vulnerability and its mitigation.

Hitachi Vantara names Adrian Johnson chief revenue officer

Salt Security releases Databricks connector and Netlify collector

Microsoft Corp. partners with Mercedes-AMG PETRONAS F1 Team