logo

Database

Insecure digital certificates In pcs

Description

A flaw was found in Forge (also known as node-forge), a JavaScript implementation of Transport Layer Security (TLS). The pki.verifyCertificateChain() function does not properly enforce certificate validation rules. This oversight allows an intermediate certificate that lacks specific security extensions to enable any leaf certificate to function as a Certificate Authority (CA) and sign other certificates. Consequently, node-forge could accept these unauthorized certificates as valid, potentially leading to spoofing or the issuance of illegitimate certificates.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-338962. NVD-2026-338963. OSV-2026-338964. GHSA-2328-f5f3-gj255. GCVE-2026-33896

References

1. https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj252. https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.