Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
Published: 2026-03-27
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: TLS impersonation
Action: Patch Now
AI Analysis

Impact

Forge is a JavaScript implementation of TLS used in Node.js environments. In all releases earlier than 1.4.0, the certificate chain validation routine does not enforce RFC 5280 basicConstraints or keyUsage extensions when an intermediate certificate lacks these extensions. This flaw permits a leaf certificate that omits the required extensions to act as a certificate authority and sign other certificates, which node-forge will accept as valid. Consequently, an attacker could generate and deploy forged certificates that a host application trusting node-forge would accept, enabling impersonation of trusted servers and compromising confidentiality and integrity.

Affected Systems

The affected product is node-forge (also known as Forge) from DigitalBazaar. Versions preceding 1.4.0 are vulnerable; all earlier releases permit the described certificate chain bypass.

Risk and Exploitability

The CVSS base score is 7.4, indicating high severity, while the EPSS score is below 1 %, suggesting a low probability of widespread exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitability is likely limited to contexts where an attacker can influence the certificates presented to node-forge, such as in applications that perform TLS with third‑party certificates or in supply‑chain scenarios. An attacker would need to craft a leaf certificate lacking basicConstraints and keyUsage, use it as a CA, sign a target certificate, and supply the resulting chain to an application that relies on node-forge for certificate verification.

Generated by OpenCVE AI on April 14, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade node-forge to version 1.4.0 or newer
  • Re‑verify any custom certificate handling in the code to ensure strict RFC 5280 compliance after the upgrade

Generated by OpenCVE AI on April 14, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2328-f5f3-gj25 Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
History

Tue, 14 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:digitalbazaar:forge:*:*:*:*:*:node.js:*:*

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Digitalbazaar
Digitalbazaar forge
Vendors & Products Digitalbazaar
Digitalbazaar forge

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
Title Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Digitalbazaar Forge
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T18:53:50.510Z

Reserved: 2026-03-24T15:41:47.490Z

Link: CVE-2026-33896

cve-icon Vulnrichment

Updated: 2026-03-30T18:53:41.483Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T21:17:26.320

Modified: 2026-04-14T01:13:21.133

Link: CVE-2026-33896

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T20:50:03Z

Links: CVE-2026-33896 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:36Z

Weaknesses