Bug 2452457 (CVE-2026-33895) - CVE-2026-33895 node-forge: Forge: Authentication bypass via forged Ed25519 cryptographic signatures
Summary: CVE-2026-33895 node-forge: Forge: Authentication bypass via forged Ed25519 cr...
Keywords:
Status: NEW
Alias: CVE-2026-33895
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2452486 2452487 2452488 2452489 2452490 2452491
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-27 21:02 UTC by OSIDB Bzimport
Modified: 2026-03-27 21:47 UTC (History)
44 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-27 21:02:41 UTC 
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signature and its `S + L` variant both verify in forge, while Node.js `crypto.verify` (OpenSSL-backed) rejects the `S + L` variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
Note You need to log in before you can comment on or make changes to this bug.