CVE-2025-66030
BaseFortify
Publication date: 2025-11-26
Last updated on: 2025-12-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| digitalbazaar | forge | to 1.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Integer Overflow in the node-forge library (versions 1.3.1 and below) that allows remote, unauthenticated attackers to craft ASN.1 structures with Object Identifiers (OIDs) containing oversized arcs. Due to 32-bit bitwise truncation, these oversized arcs may be decoded as smaller, trusted OIDs, which can bypass security decisions that rely on OID validation. The issue has been fixed in version 1.3.2.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass security mechanisms that depend on OID validation, potentially leading to unauthorized access or trust being granted incorrectly. Since the attacker can craft malicious ASN.1 structures that appear to have trusted OIDs, security decisions based on these OIDs may be circumvented, increasing the risk of exploitation.
What immediate steps should I take to mitigate this vulnerability?
Update node-forge to version 1.3.2 or later, where this Integer Overflow vulnerability has been patched.