Description
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Problem types
CWE-436 Interpretation Conflict
Product status
Credits
This issue was reported by Hunter Wodzenski of Palo Alto Networks
References
www.kb.cert.org/vuls/id/521113
www.npmjs.com/package/node-forge
github.com/digitalbazaar/forge/pull/1124
github.com/digitalbazaar/forge
kb.cert.org/vuls/id/521113 (CERT/CC Vulnerability Notice)
github.com/.../forge/security/advisories/GHSA-5gfm-wpxj-wjgq (Github Security Advisory)
