CVE-2022-24772: Digitalbazaar Forge Signature Forgery

CVE-2022-24772 Overview

CVE-2022-24772 affects node-forge, a JavaScript implementation of Transport Layer Security (TLS) maintained by Digital Bazaar. The vulnerability resides in the RSA PKCS#1 v1.5 signature verification code, which fails to check for trailing garbage bytes after decoding a DigestInfo Abstract Syntax Notation One (ASN.1) structure. An attacker can remove padding bytes and append arbitrary data to forge a valid signature when a low public exponent is used. The flaw is categorized as Improper Verification of Cryptographic Signature [CWE-347] and impacts integrity of trust decisions made by applications relying on the library.

Critical Impact

Remote attackers can forge RSA signatures without the private key, undermining authenticity guarantees for any application using node-forge for signature verification.

Affected Products

• Digital Bazaar node-forge versions prior to 1.3.0
• Node.js applications consuming the digitalbazaar:forge package
• Downstream libraries that depend on node-forge for PKCS#1 v1.5 signature verification

Discovery Timeline

• 2022-03-18 - CVE-2022-24772 published to the National Vulnerability Database (NVD)
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-24772

Vulnerability Analysis

The vulnerability is a variant of the Bleichenbacher signature forgery attack against RSA PKCS#1 v1.5. During verification, node-forge decodes the DigestInfo ASN.1 structure embedded in the padded signature block but does not enforce that the decoded structure consumes the full payload. An attacker can construct a signature whose DigestInfo parses successfully while leaving unparsed trailing bytes. With a low public exponent such as e=3, the attacker can compute a cube root over the integers to produce a value that, when raised to the third power, yields a block matching the expected hash digest at the correct offset but containing attacker-controlled garbage afterward.

The consequence is that node-forge accepts forged signatures over arbitrary messages without possessing the signer's private key. Any authentication flow, code signing, certificate chain, or JSON Web Token (JWT) verification relying on this code path can be bypassed.

Root Cause

The parser in lib/asn1.js accepted truncated parses by default and did not validate that every byte of the input was consumed during DigestInfo decoding. This permissive parsing, combined with the algebraic structure of RSA with a low public exponent, enabled signature forgery.

Attack Vector

Exploitation is network-reachable and requires no authentication or user interaction. An attacker submits a crafted signature alongside a chosen message to any service or workflow that calls node-forge PKCS#1 v1.5 verification against a public key with a low exponent.

// Security patch in lib/asn1.js - enforces full-byte parsing
// Source: https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1
 *          [strict] true to be strict when checking value lengths, false to
 *            allow truncated values (default: true).
+ *          [parseAllBytes] true to ensure all bytes are parsed
+ *            (default: true)
 *          [decodeBitStrings] true to attempt to decode the content of
 *            BIT STRINGs (not OCTET STRINGs) using strict mode.
+ *
+ * @throws Will throw an error for various malformed input conditions.
 *
 * @return the parsed asn1 object.
 */
asn1.fromDer = function(bytes, options) {
  if(options === undefined) {
    options = {
      strict: true,
+     parseAllBytes: true,
      decodeBitStrings: true
    };
  }
  if(typeof options === 'boolean') {
    options = {
      strict: options,
+     parseAllBytes: true,
      decodeBitStrings: true
    };

The patch introduces the parseAllBytes option, defaulted to true, so trailing garbage after a valid DigestInfo now triggers a parse error and rejects the signature.

Detection Methods for CVE-2022-24772

Indicators of Compromise

• Successful authentication or verification events for node-forge-based services that cannot be correlated to a legitimate signing key holder
• Inbound requests containing RSA signatures over keys with public exponent e=3 directed at JWT, certificate, or message verification endpoints
• Presence of node-forge versions below 1.3.0 in package-lock.json or node_modules manifests across production systems

Detection Strategies

• Run software composition analysis (SCA) against Node.js dependency trees to enumerate every direct and transitive use of digitalbazaar/forge prior to 1.3.0
• Inspect application logs for verification operations that succeed against unusually short or low-exponent RSA keys
• Correlate cryptographic verification events with downstream privileged actions to flag anomalous trust decisions

Monitoring Recommendations

• Forward application and TLS verification logs to a centralized analytics platform and alert on unexpected acceptance of signatures with e=3 public keys
• Monitor egress and ingress traffic for clients pinning low-exponent certificates against services that depend on node-forge
• Track package upgrade status across CI/CD pipelines to confirm remediation of vulnerable builds

How to Mitigate CVE-2022-24772

Immediate Actions Required

• Upgrade node-forge to version 1.3.0 or later in all applications, container images, and serverless functions
• Audit transitive dependencies with npm ls node-forge and force-resolve vulnerable versions using package overrides or resolutions
• Rotate any signing keys with a public exponent of 3 and re-issue dependent certificates or tokens where feasible
• Review verification code paths that accept externally supplied signatures and confirm they invoke the patched library

Patch Information

The fix is delivered in node-forge 1.3.0 through commits 3f0b49a and bb822c0. Full details are documented in the GitHub Security Advisory GHSA-x4jg-mjrx-434g. The patch adds a parseAllBytes option to asn1.fromDer and registers the missing md2 object identifier in lib/oids.js.

Workarounds

• No vendor-supplied workarounds exist; upgrading to 1.3.0 is the only supported remediation
• Where upgrade is not immediately possible, replace PKCS#1 v1.5 verification with RSASSA-PSS or migrate to a different cryptographic library
• Reject any public keys with low exponents (e<65537) at the application boundary to reduce exposure to forgery primitives

# Upgrade node-forge across a Node.js project
npm install node-forge@^1.3.0

# Verify resolved versions, including transitive copies
npm ls node-forge

# Force a single resolved version using package.json overrides
# "overrides": { "node-forge": "^1.3.0" }
npm install