CVE-2026-33894
Bleichenbacher Signature Forgery in Forge TLS Before
Publication date: 2026-03-27
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| digitalbazaar | forge | to 1.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the node-forge library to version 1.4.0 or later, where the vulnerability has been patched.
The patch enforces a minimum padding length of at least 8 bytes in the PKCS#1 v1.5 padding during signature verification and requires the ASN.1 DigestInfo structure to be canonical and contain exactly two fields, rejecting any extra ASN.1 content.
If upgrading immediately is not possible, consider the following temporary mitigations:
- Avoid using RSA keys with a low public exponent (e=3), as they are particularly vulnerable to Bleichenbacher-style forgery attacks.
- Implement additional signature verification using a trusted cryptographic library (e.g., OpenSSL) that correctly enforces PKCS#1 v1.5 padding and ASN.1 structure validation.
- Audit your codebase to identify and isolate uses of node-forge's RSA signature verification and apply stricter validation or replace with secure alternatives.
Can you explain this vulnerability to me?
CVE-2026-33894 is a high-severity vulnerability in the node-forge JavaScript library's implementation of RSA signature verification using the RSASSA-PKCS#1 v1.5 scheme, specifically for RSA keys with a low public exponent (e=3). The flaw allows attackers to forge RSA signatures by embedding extra, attacker-controlled ASN.1 fields (referred to as "garbage" bytes) inside the DigestInfo ASN.1 structure during signature verification. This bypasses the expected minimal and canonical DigestInfo format required by the standard, enabling Bleichenbacher-style signature forgery attacks.
The vulnerability arises because the verification function in node-forge does not enforce that the ASN.1 DigestInfo structure contains exactly two fields (algorithm identifier and digest) and allows additional ASN.1 content inside it. Additionally, the implementation fails to enforce a minimum padding length of at least 8 bytes as required by the PKCS#1 v1.5 specification. These weaknesses let attackers craft forged signatures that pass verification in node-forge but would be rejected by stricter implementations like OpenSSL.
The attack exploits the low public exponent (e=3) by constructing a forged signature whose cube root lies within a numeric interval defined by a crafted ASN.1 prefix plus extra garbage bytes. This crafted signature passes node-forge's verification despite being invalid. The issue was patched in node-forge version 1.4.0 by enforcing minimum padding length and requiring the DigestInfo ASN.1 structure to be canonical.
How can this vulnerability impact me? :
This vulnerability allows attackers to forge RSA signatures that will be accepted as valid by applications using vulnerable versions of node-forge (versions β€1.3.3) for signature verification with RSA keys having a low public exponent (e=3).
The impact is that an attacker can create malicious data or messages that appear to be legitimately signed by a trusted party, bypassing signature verification controls. This can lead to unauthorized actions, data tampering, or bypassing authentication mechanisms that rely on RSA signatures.
Because the forged signatures pass verification in node-forge but not in stricter cryptographic libraries like OpenSSL, systems relying solely on node-forge's verification are at risk of accepting forged signatures, potentially compromising data integrity and trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the acceptance of forged RSA signatures by the node-forge library versions prior to 1.4.0 when verifying RSASSA-PKCS#1 v1.5 signatures with low public exponent keys (e=3). Detection involves verifying whether your system uses a vulnerable version of node-forge (β€1.3.3) and whether it performs signature verification using the affected `key.verify(...)` function.
A practical detection approach includes running a proof-of-concept (PoC) script that attempts to verify both valid and forged signatures using node-forge. The PoC script (`repro_min.js`) demonstrates generating a 4096-bit RSA key with e=3, creating a valid signature and a forged signature, and then verifying both. If the forged signature passes verification, the system is vulnerable.
Since the vulnerability is specific to the node-forge library's signature verification, detection commands would involve executing JavaScript code that uses node-forge's `key.verify(...)` method to test signatures. There are no direct network commands or system commands to detect this vulnerability outside of testing the cryptographic verification logic.
To check the installed node-forge version on your system, you can run the following command in your project directory:
- npm list node-forge
To test the vulnerability, you can use or adapt the PoC script (`repro_min.js`) referenced in the advisory, which programmatically demonstrates the acceptance of forged signatures by vulnerable versions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33894 is a cryptographic signature verification vulnerability in the node-forge library that allows attackers to forge RSA signatures due to improper validation of ASN.1 structures and insufficient padding checks. This flaw undermines the integrity and authenticity guarantees provided by digital signatures.
Since digital signatures are widely used to ensure data integrity and authenticity in systems subject to compliance frameworks such as GDPR and HIPAA, this vulnerability can lead to non-compliance by enabling attackers to bypass signature verification. This could result in unauthorized data modification or impersonation, violating data protection and security requirements mandated by these regulations.
Specifically, the vulnerability violates cryptographic best practices defined in standards like RFC 8017 and RFC 2313, which specify strict padding and ASN.1 structure requirements for RSA signatures. Failure to adhere to these standards can be viewed as improper implementation of security controls required by compliance regimes.
Therefore, organizations using vulnerable versions of node-forge (β€1.3.3) risk failing to meet the integrity and security controls required by common standards and regulations until they apply the patch in version 1.4.0 that enforces proper signature verification.