CVE-2026-33894: Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.
Security readout for executives and security teams
Plain-English summary
Forge/node-forge before 1.4.0 may wrongly accept forged RSA signatures in specific PKCS#1 v1.5 verification cases. This is an integrity issue: systems relying on Forge to trust signed data could accept data that was not genuinely signed.
Executive priority
Treat this as high priority where Forge is used to validate trust decisions. Patch dependency versions promptly, with fastest attention on internet-facing or partner-facing systems that accept signed inputs.
Technical view
The flaw is in RSASSA PKCS#1 v1.5 signature verification for low public exponent keys, especially e=3. Forge accepts malformed ASN.1 structures containing extra bytes and also misses the required minimum padding length, enabling Bleichenbacher-style signature forgery. Version 1.4.0 fixes it.
Likely exposure
Exposure is likely in JavaScript applications or bundled products using forge/node-forge before 1.4.0 for RSA-PKCS#1 v1.5 signature verification, especially where externally supplied signatures, certificates, or signed objects are trusted.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation. The CVSS vector indicates network-reachable, unauthenticated, low-complexity exploitation with high integrity impact, but no confidentiality or availability impact is claimed.
Researcher notes
Evidence supports an implementation-level signature verification flaw similar to CVE-2022-24771, but with malformed bytes inside an ASN.1 field. Public sources identify the patched version, not active exploitation or broader affected products beyond Forge consumers.
Mitigation direction
Upgrade forge/node-forge to version 1.4.0 or later.
Check vendor advisories, including Red Hat errata, for packaged dependency fixes.
Inventory applications and products that bundle forge as a transitive dependency.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-20: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-20 · source CWE mapping
Improper Input Validation
Improper Input Validation represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improper Verification of Cryptographic Signature represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.