CVE-2025-66030
Integer Overflow vulnerability in node-forge (npm)
What is CVE-2025-66030 About?
This vulnerability is an Integer Overflow (CWE-190) in node-forge that allows remote, unauthenticated attackers to craft ASN.1 structures with oversized OID arcs. This can lead to misinterpretation of OIDs as trusted ones due to 32-bit integer truncation, bypassing security decisions. Exploitation is complex, requiring precise crafting of malicious ASN.1 objects.
Affected Software
Technical Details
An Integer Truncation vulnerability exists in the asn1.derToOid function within forge/lib/asn1.js of node-forge. OID components are decoded using JavaScript's bitwise left-shift operator (<<), which implicitly casts values to 32-bit signed integers. When an attacker provides a mathematically unique, very large OID arc integer exceeding 2^31-1, this value silently overflows and wraps around instead of causing an error. This integer overflow can cause a malicious OID to be erroneously interpreted as a smaller, trusted OID, thereby enabling the bypass of OID-based security controls and decisions.
What is the Impact of CVE-2025-66030?
Successful exploitation may allow attackers to spoof OIDs, bypass OID-based security controls, and compromise data integrity, potentially leading to unauthorized access, confidentiality breaches, or other system integrity issues.
What is the Exploitability of CVE-2025-66030?
Exploitation complexity is high, demanding a deep understanding of ASN.1 encoding and JavaScript's integer handling. There are no authentication or privilege requirements; an attacker simply needs to be able to submit a crafted ASN.1 object for parsing. The attack is generally remote, targeting applications that consume and parse untrusted ASN.1 data (e.g., certificates, cryptographic messages). The special condition is the precise crafting of an ASN.1 OID with an arc integer that specifically triggers the 32-bit integer overflow during processing by asn1.derToOid. Risk factors are elevated in applications processing untrusted ASN.1 inputs, especially when OIDs are used for critical security checks like certificate policy enforcement or identifying trusted cryptographic algorithms.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-66030?
About the Fix from Resolved Security
This patch enforces strict limits on the size of OID values: encoding now throws if a value exceeds 32 bits, and decoding throws if reconstructing a value would exceed JavaScript’s Number.MAX_SAFE_INTEGER (53 bits). These checks prevent large OID values from triggering undefined behavior or integer overflows, addressing the root cause of CVE-2025-66030.
Available Upgrade Options
- node-forge
- <1.3.2 → Upgrade to 1.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-65ch-62r8-g69g
- https://github.com/digitalbazaar/forge/commit/3e0c35ace169cfca529a3e547a7848dc7bf57fdb
- https://github.com/digitalbazaar/forge/security/advisories/GHSA-65ch-62r8-g69g
- https://github.com/digitalbazaar/forge
- https://github.com/digitalbazaar/forge/security/advisories/GHSA-65ch-62r8-g69g
- https://github.com/digitalbazaar/forge/commit/3e0c35ace169cfca529a3e547a7848dc7bf57fdb
What are Similar Vulnerabilities to CVE-2025-66030?
Similar Vulnerabilities: CVE-2023-45867 , CVE-2022-31128 , CVE-2021-44789 , CVE-2020-8174 , CVE-2019-14737
