AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-ppp5-5v6c-4jwp: Forge has signature forgery in RSA-PKCS due to ASN.1 extra field

highvulnerability

security

Source: GitHub Advisory DatabaseMarch 26, 2026CVE-2026-33894

Summary

The Forge library has a vulnerability in its RSA signature verification that allows attackers to forge signatures on keys with low public exponents (like e=3). The flaw occurs because Forge's ASN.1 parser (a format for encoding data structures) doesn't strictly validate the signature structure — it allows extra garbage bytes inside the ASN.1 container and doesn't enforce the required minimum 8 bytes of padding, enabling attackers to construct fake signatures that pass Forge's checks but would be rejected by other cryptographic libraries like OpenSSL.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

March 26, 2026

Classification

Attack SophisticationModerate

Affected Packages

node-forge@< 1.4.0 (fixed: 1.4.0)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-ppp5-5v6c-4jwp

First tracked: March 26, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%