npm vulnerability intelligence

node-forge NPM Package
Vulnerability Check

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

High severity (BSD-3-Clause OR GPL-2.0) v1.4.0

Vulnerability Analysis OSV Live

node-forge

v1.4.0 · (BSD-3-Clause OR GPL-2.0) · 34,982,655 dl/wk

Advisory Breakdown

Critical 0

High 9

Moderate 3

Low 3

Severity Rating

High severity

15 advisories

High severity

Weekly downloads

34,982,655

Total advisories

15

Latest version

1.4.0

License

(BSD-3-Clause OR GPL-2.0)

Advisories Package Info Runtime

Known advisories

OSV records for the npm ecosystem

15

GHSA-2328-f5f3-gj25 CVE-2026-33896 high

Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)

Affected: >=0 <1.4.0 Fixed in: 1.4.0 Updated Mar 31, 2026

GHSA-2r2c-g63r-vccr CVE-2022-24773 moderate

Improper Verification of Cryptographic Signature in `node-forge`

Affected: >=0 <1.3.0 Fixed in: 1.3.0 Updated Nov 8, 2023

GHSA-554w-wpv2-vw27 CVE-2025-66031 high

node-forge has ASN.1 Unbounded Recursion

Affected: >=0 <1.3.2 Fixed in: 1.3.2 Updated Feb 4, 2026

GHSA-5gfm-wpxj-wjgq CVE-2025-12816 high

node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization

Affected: >=0 <1.3.2 Fixed in: 1.3.2 Updated Feb 4, 2026

GHSA-5m6q-g25r-mvwx CVE-2026-33891 high

Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input

Affected: >=0 <1.4.0 Fixed in: 1.4.0 Updated Mar 31, 2026

GHSA-5rrq-pxf6-6jx5 low

Prototype Pollution in node-forge debug API.

Affected: >=0 <1.0.0 Fixed in: 1.0.0 Updated Jan 7, 2022

GHSA-65ch-62r8-g69g CVE-2025-66030 moderate

node-forge is vulnerable to ASN.1 OID Integer Truncation

Affected: >=0 <1.3.2 Fixed in: 1.3.2 Updated Feb 4, 2026

GHSA-8fr3-hfg3-gpgp CVE-2022-0122 moderate

Open Redirect in node-forge

Affected: >=0 <1.0.0 Fixed in: 1.0.0 Updated Nov 8, 2023

GHSA-92xj-mqp7-vmcj CVE-2020-7720 high

Prototype Pollution in node-forge

Affected: >=0 <0.10.0 Fixed in: 0.10.0 Updated Jan 14, 2025

GHSA-cfm4-qjh2-4765 CVE-2022-24771 high

Improper Verification of Cryptographic Signature in node-forge

Affected: >=0 <1.3.0 Fixed in: 1.3.0 Updated Nov 8, 2023

GHSA-gf8q-jrpm-jvxq low

URL parsing in node-forge could lead to undesired behavior.

Affected: >=0 <1.0.0 Fixed in: 1.0.0 Updated Jan 7, 2022

GHSA-ppp5-5v6c-4jwp CVE-2026-33894 high

Forge has signature forgery in RSA-PKCS due to ASN.1 extra field

Affected: >=0 <1.4.0 Fixed in: 1.4.0 Updated Mar 31, 2026

GHSA-q67f-28xg-22rw CVE-2026-33895 high

Forge has signature forgery in Ed25519 due to missing S > L check

Affected: >=0 <1.4.0 Fixed in: 1.4.0 Updated Mar 31, 2026

GHSA-wxgw-qj99-44c2 low

Prototype Pollution in node-forge util.setPath API

Affected: >=0 <0.10.0 Fixed in: 0.10.0 Updated Jan 7, 2022

GHSA-x4jg-mjrx-434g CVE-2022-24772 high

Improper Verification of Cryptographic Signature in node-forge

Affected: >=0 <1.3.0 Fixed in: 1.3.0 Updated Nov 8, 2023

Checked Jun 6, 2026, 3:54 AM from npm and OSV.dev

Package metadata

From the npm registry

Package name: node-forge
Ecosystem: npm
Latest version: 1.4.0
License: (BSD-3-Clause OR GPL-2.0)
Weekly downloads: 34,982,655
Repository: Open repository

Remediation boundary

What RequestGuard does — and doesn't — cover

RequestGuard does not fix npm package vulnerabilities. Dependency remediation happens through package updates, patches, lockfile changes, and maintainer guidance. RequestGuard can help mitigate runtime abuse around exposed web and API flows while remediation is handled separately.

Signup flows

Login attempts

API traffic

Protect runtime flows →

Allow, challenge, review, and block decisions for exposed endpoints.

Data from npm registry and OSV.dev · Checked 6/6/2026, 3:54:05 AM