CVE-2025-66031 Overview
CVE-2025-66031 is an Uncontrolled Recursion vulnerability affecting Forge (also known as node-forge), a native implementation of Transport Layer Security (TLS) in JavaScript. The vulnerability exists in node-forge versions 1.3.1 and below, where remote, unauthenticated attackers can craft deeply nested ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) condition via stack exhaustion when parsing untrusted DER-encoded inputs.
Critical Impact
Remote unauthenticated attackers can crash applications using node-forge by sending maliciously crafted ASN.1 structures, causing service unavailability through stack exhaustion.
Affected Products
- digitalbazaar forge versions ≤ 1.3.1
- Node.js applications using node-forge for TLS/cryptographic operations
- Web applications and services that parse untrusted DER-encoded certificates or data
Discovery Timeline
- 2025-11-26 - CVE-2025-66031 published to NVD
- 2025-12-06 - Last updated in NVD database
Technical Details for CVE-2025-66031
Vulnerability Analysis
The vulnerability resides in the ASN.1 parsing logic within lib/asn1.js of the node-forge library. ASN.1 (Abstract Syntax Notation One) is a standard interface for data structures commonly used in cryptographic operations, particularly for parsing X.509 certificates, PKCS structures, and other DER-encoded data.
The core issue is the absence of a recursion depth limit when parsing nested ASN.1 structures. ASN.1 structures can contain sequences and sets that themselves contain additional nested elements. When the parser encounters these nested structures, it recursively processes each level. An attacker can exploit this by crafting a DER-encoded structure with excessive nesting depth, causing the parser to recurse until the JavaScript call stack is exhausted.
This vulnerability is classified under CWE-674 (Uncontrolled Recursion), which occurs when a function calls itself repeatedly without proper termination conditions or depth limits.
Root Cause
The root cause is the missing recursion depth check in the ASN.1 parsing functions. Prior to version 1.3.2, the parser would blindly follow nested ASN.1 structures to arbitrary depths without enforcing any maximum limit. This design oversight allows malicious input to consume the entire call stack, resulting in a stack overflow and application crash.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Crafting a DER-encoded ASN.1 structure with deeply nested sequences
- Sending this malicious payload to any application endpoint that processes ASN.1/DER data using node-forge
- The recursive parser consumes the call stack, crashing the Node.js process
Common attack surfaces include:
- Certificate validation endpoints
- TLS handshake processing
- PKCS#7/CMS signature verification
- Any API accepting DER-encoded cryptographic structures
BMPSTRING: 30
};
+/**
+ * Sets the default maximum recursion depth when parsing ASN.1 structures.
+ */
+asn1.maxDepth = 256;
+
/**
* Creates a new asn1 object.
*
Source: GitHub Commit
Detection Methods for CVE-2025-66031
Indicators of Compromise
- Sudden Node.js process crashes with "Maximum call stack size exceeded" errors
- Repeated service restarts correlated with incoming requests containing certificate or ASN.1 data
- Abnormally large or deeply nested DER-encoded payloads in request logs
- Stack overflow exceptions in application error logs referencing asn1.js or forge parsing functions
Detection Strategies
- Monitor application logs for stack overflow exceptions specifically mentioning node-forge or ASN.1 parsing functions
- Implement dependency scanning to identify node-forge versions below 1.3.2 in your Node.js projects
- Use Software Composition Analysis (SCA) tools to detect vulnerable library versions in your codebase
- Review network traffic for unusually large or malformed DER-encoded payloads targeting certificate processing endpoints
Monitoring Recommendations
- Configure alerting on Node.js process crashes with stack exhaustion signatures
- Implement rate limiting on endpoints that process cryptographic data or certificates
- Monitor for repeated requests to certificate validation or TLS-related endpoints from single sources
- Set up health checks to detect and restart crashed services while investigating root cause
How to Mitigate CVE-2025-66031
Immediate Actions Required
- Upgrade node-forge to version 1.3.2 or later immediately
- Audit all Node.js applications and dependencies for node-forge usage
- Implement input validation to reject abnormally large DER payloads before they reach the parser
- Consider implementing request timeouts for operations involving certificate parsing
Patch Information
The vulnerability has been patched in node-forge version 1.3.2. The fix introduces a configurable maximum recursion depth limit (asn1.maxDepth = 256) that prevents unbounded recursive parsing. Organizations should upgrade to version 1.3.2 or later to remediate this vulnerability.
For detailed patch information, refer to the GitHub Security Advisory GHSA-554w-wpv2-vw27 and the security patch commit.
Workarounds
- If immediate upgrade is not possible, implement input size limits on endpoints accepting DER/ASN.1 data to reduce attack surface
- Add a proxy or WAF rule to inspect and reject requests with suspiciously large or malformed certificate payloads
- Consider wrapping forge parsing calls in try-catch blocks with process recovery mechanisms to prevent complete service outage
- Isolate certificate processing into separate worker processes to contain potential crashes
# Update node-forge to patched version
npm update node-forge@1.3.2
# Or using yarn
yarn upgrade node-forge@1.3.2
# Verify installed version
npm list node-forge
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
