A popular JavaScript cryptography library is vulnerable in a way which could allow threat actors to break into user accounts. The library has since been updated, and users are urged to move to the new version as soon as possible.
The bug was found in the 'node-forge' package, a popular cryptography tool that provides functions for things like encryption, decryption, hashing, digital signatures, TLS/SSL, and key generation, all without needing native modules.
The bug lets an attacker craft a bogus ASN.1 data structure that tricks the library into skipping cryptographic checks and allowing signature, or certificate validation, to be bypassed. It is tracked as CVE-2025-12816 and is given a severity score of 8.6/10 (high). Abstract Syntax Notation One (ASN.1) is a standard format used for encoding data in certificates and cryptographic operations.
Carnegie Mellon CERT-CC also issued a security advisory, in which it said the bug can be abused in different ways, and may result in authentication bypass, signed data tempering, or misuses of certificate-related functions.
"In environments where cryptographic verification plays a central role in trust decisions, the potential impact can be significant," CERT-CC said.
Node.js developers should care because node-forge is a core cryptography library used in countless web apps and services. It is also an immensely popular library, with almost 26 million weekly downloads on the Node Package Manager (npm) registry.
The vulnerability was discovered by cybersecurity researchers from Palo Alto Networks, and was responsibly disclosed to node-forge maintainers, who released a fix earlier this week.
The fix brings the library to version 1.3.2, and developers using node-forge are urged to switch to the new version as soon as possible. As a general rule of thumb, developers should promptly update cryptography dependencies in Node.js projects, as even widely used, trusted packages can contain critical flaws.
Via BleepingComputer