Popular JavaScript library can be hacked to allow attackers into user accounts

News
By published

A package with 26 million weekly downloads carried a major flaw

JavaScript code on a computer screen
(Image credit: Shutterstock / BEST-BACKGROUNDS)
  • Node-forge cryptography library flaw (CVE-2025-12816) allowed bypass of signature and certificate validation
  • CERT-CC warns of risks including authentication bypass and signed data tampering
  • Maintainers released version 1.3.2; developers urged to update immediately

A popular JavaScript cryptography library is vulnerable in a way which could allow threat actors to break into user accounts. The library has since been updated, and users are urged to move to the new version as soon as possible.

The bug was found in the ‘node-forge’ package, a popular cryptography tool that provides functions for things like encryption, decryption, hashing, digital signatures, TLS/SSL, and key generation, all without needing native modules.

The bug lets an attacker craft a bogus ASN.1 data structure that tricks the library into skipping cryptographic checks and allowing signature, or certificate validation, to be bypassed. It is tracked as CVE-2025-12816 and is given a severity score of 8.6/10 (high). Abstract Syntax Notation One (ASN.1) is a standard format used for encoding data in certificates and cryptographic operations.

Significant impact

Carnegie Mellon CERT-CC also issued a security advisory, in which it said the bug can be abused in different ways, and may result in authentication bypass, signed data tempering, or misuses of certificate-related functions.

“In environments where cryptographic verification plays a central role in trust decisions, the potential impact can be significant,” CERT-CC said.

Node.js developers should care because node-forge is a core cryptography library used in countless web apps and services. It is also an immensely popular library, with almost 26 million weekly downloads on the Node Package Manager (npm) registry.

The vulnerability was discovered by cybersecurity researchers from Palo Alto Networks, and was responsibly disclosed to node-forge maintainers, who released a fix earlier this week.

The fix brings the library to version 1.3.2, and developers using node-forge are urged to switch to the new version as soon as possible. As a general rule of thumb, developers should promptly update cryptography dependencies in Node.js projects, as even widely used, trusted packages can contain critical flaws.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.