Update dependency node-forge to v1.4.0 by ivan-flamingo · Pull Request #31 · flamingo-stack/meshcentral · GitHub
Skip to content

Update dependency node-forge to v1.4.0#31

Open
ivan-flamingo wants to merge 1 commit into
masterfrom
renovate/node-forge-1.x
Open

Update dependency node-forge to v1.4.0#31
ivan-flamingo wants to merge 1 commit into
masterfrom
renovate/node-forge-1.x

Conversation

@ivan-flamingo

@ivan-flamingo ivan-flamingo commented Jun 9, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
node-forge dependencies minor 1.3.21.4.0

Release Notes

digitalbazaar/forge (node-forge)

v1.4.0

Compare Source

Security
  • HIGH: Denial of Service in BigInteger.modInverse()
    • A Denial of Service (DoS) vulnerability exists due to an infinite loop in
      the BigInteger.modInverse() function (inherited from the bundled jsbn
      library). When modInverse() is called with a zero value as input, the
      internal Extended Euclidean Algorithm enters an unreachable exit condition,
      causing the process to hang indefinitely and consume 100% CPU.
    • Reported by Kr0emer.
    • CVE ID: CVE-2026-33891
    • GHSA ID: GHSA-5gfm-wpxj-wjgq
  • HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.
    • RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low
      public exponent keys (e=3). Attackers can forge signatures by stuffing
      "garbage" bytes within the ASN.1 structure in order to construct a
      signature that passes verification, enabling Bleichenbacher style forgery.
      This issue is similar to CVE-2022-24771, but adds bytes in an addition
      field within the ASN.1 structure, rather than outside of it.
    • Additionally, forge does not validate that signatures include a minimum of
      8 bytes of padding as defined by the specification, providing attackers
      additional space to construct Bleichenbacher forgeries.
    • Reported as part of a U.C. Berkeley security research project by:
      • Austin Chu, Sohee Kim, and Corban Villa.
    • CVE ID: CVE-2026-33894
    • GHSA ID: GHSA-ppp5-5v6c-4jwp
  • HIGH: Signature forgery in Ed25519 due to missing S < L check.
    • Ed25519 signature verification accepts forged non-canonical signatures
      where the scalar S is not reduced modulo the group order (S >= L). A valid
      signature and its S + L variant both verify in forge, while Node.js
      crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the
      specification. This class of signature malleability has been exploited in
      practice to bypass authentication and authorization logic (see
      CVE-2026-25793, CVE-2022-35961). Applications relying on signature
      uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object
      canonicalization checks) may be bypassed.
    • Reported as part of a U.C. Berkeley security research project by:
      • Austin Chu, Sohee Kim, and Corban Villa.
    • CVE ID: CVE-2026-33895
    • GHSA ID: GHSA-q67f-28xg-22rw
  • HIGH: basicConstraints bypass in certificate chain verification.
    • pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints
      requirements when an intermediate certificate lacks both the
      basicConstraints and keyUsage extensions. This allows any leaf
      certificate (without these extensions) to act as a CA and sign other
      certificates, which node-forge will accept as valid.
    • Reported by Doruk Tan Ozturk (@​peaktwilight) - doruk.ch
    • CVE ID: CVE-2026-33896
    • GHSA ID: GHSA-2328-f5f3-gj25
Added
  • [oid] Added requested OID:
    • 2.5.4.65 / pseudonym
Changed
  • [jsbn] Update to jsbn 1.4. Sync partly back to original style for easier
    updates every decade or so.
Fixed
  • [jsbn] Fix BigInteger.modInverse to avoid an infinite loop and exit early
    with zero when the target object value is <= 0. Zero may not be strictly
    mathematically correct but aligns with current jsbn behavior returning zero
    in other situations. The alternate of a RangeError would diverge from the
    rest of the API.
  • [rsa] Fix padding length check according to RFC 2313 8.1 note 6. Padding is
    required to be eight octets for block types 1 and 2.
  • [rsa] Fix RFC 8017 DigestInfo parsing to require a sequence length of two.
  • [ed25519] Add canonical signature scaler check for S < L.
  • [x590] Add chain verification check for absent basicConstraints on non-leaf
    certificates.

v1.3.3

Compare Source

Fixed
  • [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues
    introduced in 1.3.2.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@ivan-flamingo, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 47 seconds. Learn how PR review limits work.

To continue reviewing without waiting, enable usage-based billing in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: fa7a2d6b-2924-46aa-a5da-9fbea534fa7a

📥 Commits

Reviewing files that changed from the base of the PR and between 67130c7 and 283f257.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json
📝 Walkthrough

Walkthrough

The pull request updates the node-forge dependency in package.json from version 1.3.2 to 1.4.0. This is a single-line version bump to a cryptographic library dependency.

Changes

Dependency Version Update

Layer / File(s) Summary
node-forge dependency version bump
package.json
The node-forge package dependency is updated from version 1.3.2 to 1.4.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A whisker of change, so tiny and neat,
node-forge hops forward to 1.4 sweet,
Version bumped up with a hop and a bound,
Cryptography fresh, security-sound! 🔐

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and specifically describes the main change: updating the node-forge dependency from 1.3.2 to 1.4.0.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/node-forge-1.x

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@ivan-flamingo ivan-flamingo force-pushed the renovate/node-forge-1.x branch 2 times, most recently from f11cfe5 to bf90e13 Compare June 17, 2026 11:24
@ivan-flamingo ivan-flamingo force-pushed the renovate/node-forge-1.x branch 2 times, most recently from a793a30 to 2927962 Compare June 24, 2026 19:20
@ivan-flamingo ivan-flamingo force-pushed the renovate/node-forge-1.x branch from 2927962 to 283f257 Compare June 25, 2026 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants