Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Signature forgery allowing formation of valid RSA‑PKCS#1 v1.5 signatures with low–exponent keys.
Action: Immediate Patch
AI Analysis

Impact

The flaw lies in forge’s implementation of RSASSA PKCS#1 v1.5 signature verification. Before version 1.4.0, the library accepts malformed ASN.1 structures that contain additional “garbage” bytes inside the signature’s ASN.1 field. When the RSA public exponent is small (e = 3), an attacker can craft a signature that satisfies the verification routine while actually being entirely user‑controlled. The defect also allows forging signatures that lack the required minimum eight bytes of padding, creating a Bleichenbacher‑style forgery path. Consequently, any system that relies on forge to verify signed data can be deceived into accepting attacker‑generated signatures, potentially compromising authentication or integrity of protected content.

Affected Systems

The vulnerability affects all releases of the Digital Bazaar node‑forge library before version 1.4.0. Any JavaScript application—client‑side or server‑side—that uses forge for Transport Layer Security or RSA signature verification is at risk if it does not upgrade to the patched release.

Risk and Exploitability

With a CVSS base score of 7.5, the vulnerability poses a high impact. The exploitation model is straightforward: an adversary can generate a forged signature for any public key with a low exponent, and any consumer of forge that performs signature validation will accept it as legitimate. No EPSS score is documented, and the flaw has not been listed in the CISA KEV catalog. Given the ubiquity of node‑forge in web and server applications, the risk of real‑world exploitation remains significant.

Generated by OpenCVE AI on March 28, 2026 at 05:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade node‑forge to version 1.4.0 or later, the release that contains the patch for this issue.

Generated by OpenCVE AI on March 28, 2026 at 05:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ppp5-5v6c-4jwp Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
History

Fri, 17 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:digitalbazaar:forge:*:*:*:*:*:node.js:*:*

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Digitalbazaar
Digitalbazaar forge
Vendors & Products Digitalbazaar
Digitalbazaar forge

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.
Title Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
Weaknesses CWE-20
CWE-347
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Digitalbazaar Forge
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T14:05:14.708Z

Reserved: 2026-03-24T15:41:47.489Z

Link: CVE-2026-33894

cve-icon Vulnrichment

Updated: 2026-03-31T14:05:09.549Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T21:17:25.983

Modified: 2026-04-17T21:16:42.030

Link: CVE-2026-33894

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T20:45:49Z

Links: CVE-2026-33894 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:00:18Z

Weaknesses