Skip to content

Bump node-forge from 1.3.0 to 1.3.2#112

Open
renovate-pagopa[bot] wants to merge 1 commit intomasterfrom
renovate/node-forge-to-1.3.2
Open

Bump node-forge from 1.3.0 to 1.3.2#112
renovate-pagopa[bot] wants to merge 1 commit intomasterfrom
renovate/node-forge-to-1.3.2

Conversation

@renovate-pagopa
Copy link

@renovate-pagopa renovate-pagopa bot commented Nov 27, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
node-forge 1.3.0 -> 1.3.2 age confidence

For further information on security, please refer to the Confluence page link

Release Notes

digitalbazaar/forge (node-forge)

v1.3.2

Compare Source

Security
  • HIGH: ASN.1 Validator Desynchronization
    • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions
      1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1
      structures to desynchronize schema validations, yielding a semantic
      divergence that may bypass downstream cryptographic verifications and
      security decisions.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-12816
    • GHSA ID: GHSA-5gfm-wpxj-wjgq
  • HIGH: ASN.1 Unbounded Recursion
    • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions
      1.3.1 and below enables remote, unauthenticated attackers to craft deep
      ASN.1 structures that trigger unbounded recursive parsing. This leads to a
      Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER
      inputs.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-66031
    • GHSA ID: GHSA-554w-wpv2-vw27
  • MODERATE: ASN.1 OID Integer Truncation
    • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1
      and below enables remote, unauthenticated attackers to craft ASN.1
      structures containing OIDs with oversized arcs. These arcs may be decoded
      as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the
      bypass of downstream OID-based security decisions.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-66030
    • GHSA ID: GHSA-65ch-62r8-g69g
Fixed
  • [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC
    verification bypass due to missing macData enforcement and improper
    asn1.validate routine.
  • [asn1] Add fromDer() max recursion depth check.
    • Add a asn1.maxDepth global configurable maximum depth of 256.
    • Add a asn1.fromDer() per-call maxDepth option.
    • NOTE: The default maximum is assumed to be higher than needed for valid
      data. If this assumption is false then this could be a breaking change.
      Please file an issue if there are use cases that need a higher maximum.
    • NOTE: The per-call maxDepth parameter has not been exposed up through
      all of the API stack due to the complexities involved. Please file an issue
      if there are use cases that require this instead of changing the default
      maximum.
  • [asn1] Improve OID handling.
    • Error on parsed OID values larger than 2**32 - 1.
    • Error on DER OID values larger than 2**53 - 1 .

v1.3.1

Compare Source

Security
  • HIGH: ASN.1 Validator Desynchronization
    • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions
      1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1
      structures to desynchronize schema validations, yielding a semantic
      divergence that may bypass downstream cryptographic verifications and
      security decisions.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-12816
    • GHSA ID: GHSA-5gfm-wpxj-wjgq
  • HIGH: ASN.1 Unbounded Recursion
    • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions
      1.3.1 and below enables remote, unauthenticated attackers to craft deep
      ASN.1 structures that trigger unbounded recursive parsing. This leads to a
      Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER
      inputs.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-66031
    • GHSA ID: GHSA-554w-wpv2-vw27
  • MODERATE: ASN.1 OID Integer Truncation
    • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1
      and below enables remote, unauthenticated attackers to craft ASN.1
      structures containing OIDs with oversized arcs. These arcs may be decoded
      as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the
      bypass of downstream OID-based security decisions.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-66030
    • GHSA ID: GHSA-65ch-62r8-g69g
Fixed
  • [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC
    verification bypass due to missing macData enforcement and improper
    asn1.validate routine.
  • [asn1] Add fromDer() max recursion depth check.
    • Add a asn1.maxDepth global configurable maximum depth of 256.
    • Add a asn1.fromDer() per-call maxDepth option.
    • NOTE: The default maximum is assumed to be higher than needed for valid
      data. If this assumption is false then this could be a breaking change.
      Please file an issue if there are use cases that need a higher maximum.
    • NOTE: The per-call maxDepth parameter has not been exposed up through
      all of the API stack due to the complexities involved. Please file an issue
      if there are use cases that require this instead of changing the default
      maximum.
  • [asn1] Improve OID handling.
    • Error on parsed OID values larger than 2**32 - 1.
    • Error on DER OID values larger than 2**53 - 1 .

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@renovate-pagopa renovate-pagopa bot added the OER label Nov 27, 2025
@github-actions
Copy link

github-actions bot commented Nov 27, 2025

Jira Pull request Link

It seems this Pull Request has no issues that refers to Jira!!!
Please check it out.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 27, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate-pagopa
Copy link
Author

renovate-pagopa bot commented Feb 5, 2026

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
Unknown Syntax Error: Unsupported option name ("--ignore-platform").

$ yarn install [--json] [--immutable] [--immutable-cache] [--refresh-lockfile] [--check-cache] [--check-resolutions] [--inline-builds] [--mode #0]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

OER

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants