Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signature and its `S + L` variant both verify in forge, while Node.js `crypto.verify` (OpenSSL-backed) rejects the `S + L` variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Signature forgery allows authentication bypass
Action: Immediate Patch
AI Analysis

Impact

Forge’s Ed25519 verification accepts non‑canonical signatures where the scalar component S is not reduced modulo the group order. This missing check lets an attacker craft a signature that differs by the group order L, which still verifies correctly in forge but is invalid per the Ed25519 specification. The result is that applications trusting forge’s verification can accept forged signatures, enabling attackers to bypass authentication, authorization, and any signature‑based integrity checks such as deduplication or replay prevention. The weakness is a signature forgery vulnerability under CWE‑347.

Affected Systems

Digitalbazaar’s node‑forge library is affected in all releases prior to version 1.4.0. Any Node.js application that imports forge for Ed25519 signature verification and relies on nonce or uniqueness checks is potentially vulnerable unless it has been updated to 1.4.0 or newer.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact with full privileges required by the signer. The EPSS score of less than 1 % suggests low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a crafted signature that satisfies forge’s lenient verifier, most likely through a remote interface that processes signed data. Once the forged signature is accepted, the attacker can impersonate trusted users, elevate privileges, or tamper with data without detection.

Generated by OpenCVE AI on April 14, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade node‑forge to version 1.4.0 or later
  • Verify all Ed25519 verifications use the updated library or Node.js crypto.verify which rejects non‑canonical signatures
  • Audit application logic that relies on signature uniqueness or replay protection to ensure it does not depend on forgery‑prone checks

Generated by OpenCVE AI on April 14, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q67f-28xg-22rw Forge has signature forgery in Ed25519 due to missing S > L check
History

Tue, 14 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:digitalbazaar:forge:*:*:*:*:*:node.js:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Digitalbazaar
Digitalbazaar forge
Vendors & Products Digitalbazaar
Digitalbazaar forge

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signature and its `S + L` variant both verify in forge, while Node.js `crypto.verify` (OpenSSL-backed) rejects the `S + L` variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
Title Forge has signature forgery in Ed25519 due to missing S > L check
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Digitalbazaar Forge
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T19:10:01.632Z

Reserved: 2026-03-24T15:41:47.490Z

Link: CVE-2026-33895

cve-icon Vulnrichment

Updated: 2026-03-31T19:07:58.243Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T21:17:26.157

Modified: 2026-04-14T01:14:42.487

Link: CVE-2026-33895

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T20:47:54Z

Links: CVE-2026-33895 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:37Z

Weaknesses