Critical Node-Forge Vulnerability CVE-2025-12816: ASN.1 Flaw Bypasses Cryptographic Security

A critical security vulnerability in the widely-used `node-forge` cryptography library has been disclosed, posing a high-severity risk to applications relying on its ASN.1 parsing. The flaw, tracked as CVE-2025-12816, is an Interpretation Conflict (CWE-436) that allows remote, unauthenticated attackers to craft malicious ASN.1 structures. This can desynchronize schema validations, leading to a semantic divergence that may bypass downstream cryptographic verifications and critical security decisions. The vulnerability was present in versions 1.3.1 and below, reported by researcher Hunter Wodzenski.

The issue was addressed in a rapid patch cycle. Version 1.3.2, released on November 25, 2025, contained the security fix. However, this update inadvertently introduced a regression affecting PKCS#12/PFX functionality. A subsequent patch, version 1.3.3 released on December 2, 2025, resolved this regression by making `digestAlgorithm` parameters optional, restoring stability while maintaining the critical security fix.

This sequence of events highlights the delicate balance in securing foundational cryptographic dependencies. The high-severity rating and potential for bypassing security controls make immediate patching to version 1.3.3 a priority for any project using `node-forge` for TLS, certificates, or PKI operations. The incident underscores the cascading risks when a core security fix disrupts other critical functions, necessitating close monitoring of dependency updates in security-sensitive codebases.