CVE-2025-66031
Uncontrolled Recursion vulnerability in node-forge (npm)
What is CVE-2025-66031 About?
This vulnerability is an Uncontrolled Recursion (CWE-674) in node-forge that allows remote, unauthenticated attackers to craft deep ASN.1 structures. This triggers unbounded recursive parsing, leading to a Denial-of-Service via stack exhaustion. Exploitation is relatively straightforward for an attacker who can send untrusted ASN.1 inputs.
Affected Software
Technical Details
An ASN.1 Denial of Service (DoS) vulnerability exists in the asn1.fromDer function (specifically the _fromDer implementation) within forge/lib/asn1.js of node-forge. The ASN.1 DER parser recursively calls itself for each constructed ASN.1 value (e.g., SEQUENCE, SET). Critically, there is no depth guard or limit on this recursion. An attacker can create a small DER blob that contains an extremely large nesting depth of constructed Tag-Length-Value (TLV) structures. When node-forge attempts to parse this malformed input, the deep recursion exhausts the JavaScript V8 engine's call stack, leading to a RangeError: Maximum call stack size exceeded and effectively crashing or incapacitating the process handling the parsing requests.
What is the Impact of CVE-2025-66031?
Successful exploitation may allow attackers to cause a denial-of-service condition by crashing affected applications or services, leading to a complete loss of availability.
What is the Exploitability of CVE-2025-66031?
Exploitation complexity is low to moderate. An attacker does not need any authentication or specific privileges beyond the ability to send untrusted ASN.1 data to a vulnerable application. The attack is remote, targeting applications that process ASN.1 objects, such as those involved in TLS connections or certificate parsing. The primary special condition is the ability for the attacker to provide malformed ASN.1 input to the application. Risk factors that increase exploitation likelihood include applications that expose node-forge's ASN.1 parsing functionality to untrusted external inputs without proper depth limiting or input validation, making them susceptible to remote DoS attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-66031?
About the Fix from Resolved Security
This patch introduces a maximum recursion depth (default 256) when parsing ASN.1 structures, and enforces it in the internal parsing function to prevent excessive nesting. By limiting recursion depth, it mitigates stack overflows or denial of service attacks caused by deeply nested ASN.1 input, thereby fixing vulnerability CVE-2025-66031.
Available Upgrade Options
- node-forge
- <1.3.2 → Upgrade to 1.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/digitalbazaar/forge/commit/260425c6167a38aae038697132483b5517b26451
- https://github.com/digitalbazaar/forge
- https://osv.dev/vulnerability/GHSA-554w-wpv2-vw27
- https://github.com/digitalbazaar/forge/commit/260425c6167a38aae038697132483b5517b26451
- https://github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27
- https://github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27
What are Similar Vulnerabilities to CVE-2025-66031?
Similar Vulnerabilities: CVE-2023-28485 , CVE-2022-26937 , CVE-2021-36067 , CVE-2020-8175 , CVE-2019-14875
