CVE-2026-33894
Received Received - Intake
Bleichenbacher Signature Forgery in Forge TLS Before

Publication date: 2026-03-27

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing β€œgarbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33894
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
digitalbazaar forge to 1.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary mitigation step is to upgrade the node-forge library to version 1.4.0 or later, where the vulnerability has been patched.

The patch enforces a minimum padding length of at least 8 bytes in the PKCS#1 v1.5 padding during signature verification and requires the ASN.1 DigestInfo structure to be canonical and contain exactly two fields, rejecting any extra ASN.1 content.

If upgrading immediately is not possible, consider the following temporary mitigations:

  • Avoid using RSA keys with a low public exponent (e=3), as they are particularly vulnerable to Bleichenbacher-style forgery attacks.
  • Implement additional signature verification using a trusted cryptographic library (e.g., OpenSSL) that correctly enforces PKCS#1 v1.5 padding and ASN.1 structure validation.
  • Audit your codebase to identify and isolate uses of node-forge's RSA signature verification and apply stricter validation or replace with secure alternatives.
Executive Summary

CVE-2026-33894 is a high-severity vulnerability in the node-forge JavaScript library's implementation of RSA signature verification using the RSASSA-PKCS#1 v1.5 scheme, specifically for RSA keys with a low public exponent (e=3). The flaw allows attackers to forge RSA signatures by embedding extra, attacker-controlled ASN.1 fields (referred to as "garbage" bytes) inside the DigestInfo ASN.1 structure during signature verification. This bypasses the expected minimal and canonical DigestInfo format required by the standard, enabling Bleichenbacher-style signature forgery attacks.

The vulnerability arises because the verification function in node-forge does not enforce that the ASN.1 DigestInfo structure contains exactly two fields (algorithm identifier and digest) and allows additional ASN.1 content inside it. Additionally, the implementation fails to enforce a minimum padding length of at least 8 bytes as required by the PKCS#1 v1.5 specification. These weaknesses let attackers craft forged signatures that pass verification in node-forge but would be rejected by stricter implementations like OpenSSL.

The attack exploits the low public exponent (e=3) by constructing a forged signature whose cube root lies within a numeric interval defined by a crafted ASN.1 prefix plus extra garbage bytes. This crafted signature passes node-forge's verification despite being invalid. The issue was patched in node-forge version 1.4.0 by enforcing minimum padding length and requiring the DigestInfo ASN.1 structure to be canonical.

Impact Analysis

This vulnerability allows attackers to forge RSA signatures that will be accepted as valid by applications using vulnerable versions of node-forge (versions ≀1.3.3) for signature verification with RSA keys having a low public exponent (e=3).

The impact is that an attacker can create malicious data or messages that appear to be legitimately signed by a trusted party, bypassing signature verification controls. This can lead to unauthorized actions, data tampering, or bypassing authentication mechanisms that rely on RSA signatures.

Because the forged signatures pass verification in node-forge but not in stricter cryptographic libraries like OpenSSL, systems relying solely on node-forge's verification are at risk of accepting forged signatures, potentially compromising data integrity and trust.

Detection Guidance

This vulnerability involves the acceptance of forged RSA signatures by the node-forge library versions prior to 1.4.0 when verifying RSASSA-PKCS#1 v1.5 signatures with low public exponent keys (e=3). Detection involves verifying whether your system uses a vulnerable version of node-forge (≀1.3.3) and whether it performs signature verification using the affected `key.verify(...)` function.

A practical detection approach includes running a proof-of-concept (PoC) script that attempts to verify both valid and forged signatures using node-forge. The PoC script (`repro_min.js`) demonstrates generating a 4096-bit RSA key with e=3, creating a valid signature and a forged signature, and then verifying both. If the forged signature passes verification, the system is vulnerable.

Since the vulnerability is specific to the node-forge library's signature verification, detection commands would involve executing JavaScript code that uses node-forge's `key.verify(...)` method to test signatures. There are no direct network commands or system commands to detect this vulnerability outside of testing the cryptographic verification logic.

To check the installed node-forge version on your system, you can run the following command in your project directory:

  • npm list node-forge

To test the vulnerability, you can use or adapt the PoC script (`repro_min.js`) referenced in the advisory, which programmatically demonstrates the acceptance of forged signatures by vulnerable versions.

Compliance Impact

CVE-2026-33894 is a cryptographic signature verification vulnerability in the node-forge library that allows attackers to forge RSA signatures due to improper validation of ASN.1 structures and insufficient padding checks. This flaw undermines the integrity and authenticity guarantees provided by digital signatures.

Since digital signatures are widely used to ensure data integrity and authenticity in systems subject to compliance frameworks such as GDPR and HIPAA, this vulnerability can lead to non-compliance by enabling attackers to bypass signature verification. This could result in unauthorized data modification or impersonation, violating data protection and security requirements mandated by these regulations.

Specifically, the vulnerability violates cryptographic best practices defined in standards like RFC 8017 and RFC 2313, which specify strict padding and ASN.1 structure requirements for RSA signatures. Failure to adhere to these standards can be viewed as improper implementation of security controls required by compliance regimes.

Therefore, organizations using vulnerable versions of node-forge (≀1.3.3) risk failing to meet the integrity and security controls required by common standards and regulations until they apply the patch in version 1.4.0 that enforces proper signature verification.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33894. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart