Bug 2452464 (CVE-2026-33894) - CVE-2026-33894 node-forge: Forge: Signature Forgery via Weak RSASSA PKCS#1 v1.5 Verification
Summary: CVE-2026-33894 node-forge: Forge: Signature Forgery via Weak RSASSA PKCS#1 v1...
Keywords:
Status: NEW
Alias: CVE-2026-33894
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2452497 2452498 2452493 2452494 2452495 2452496
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-27 21:03 UTC by OSIDB Bzimport
Modified: 2026-06-09 11:03 UTC (History)
44 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:24761 0 None None None 2026-06-09 11:03:34 UTC

Description OSIDB Bzimport 2026-03-27 21:03:16 UTC
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it.  Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.

Comment 2 errata-xmlrpc 2026-06-09 11:03:31 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2026:24761 https://access.redhat.com/errata/RHSA-2026:24761


Note You need to log in before you can comment on or make changes to this bug.