Fluid Attacks Database

Description

A flaw was found in Forge (also called node-forge), a JavaScript implementation of Transport Layer Security. A remote attacker could exploit weaknesses in the RSASSA PKCS#1 v1.5 signature verification process. By crafting malicious signatures that include extra data within the ASN structure and do not meet padding requirements, an attacker can bypass signature validation. This allows for the creation of forged signatures that appear legitimate, potentially compromising the integrity and authenticity of communications.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	node-forge	>=0 <1.4.0	1.4.0
rpm rhel9	pcs	-	-

Aliases

1. CVE-2026-338942. NVD-2026-338943. OSV-2026-338944. GHSA-cfm4-qjh2-47655. GHSA-ppp5-5v6c-4jwp6. GCVE-2026-33894

References

1. https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-47652. https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp3. https://datatracker.ietf.org/doc/html/rfc2313#section-84. https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE5. https://www.rfc-editor.org/rfc/rfc8017.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.