Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
apn-2.2.0.tgz (Root Library)
❌ node-forge-0.7.6.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.7.6.tgz[](https://whitesource-resources.whitesourcesoftware.com/high_vul.png)[](https://whitesource-resources.whitesourcesoftware.com/cvss3.png)
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
apn-2.2.0.tgz (Root Library) ❌ node-forge-0.7.6.tgz (Vulnerable Library) Found in base branch: master
Vulnerability Details Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.