Skip to content

Fix node-forge ASN.1 validation bypass vulnerability (CVE-2025-12816) #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
brynary wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Fix node-forge ASN.1 validation bypass vulnerability (CVE-2025-12816) #78

brynary wants to merge 1 commit into from

Conversation

@brynary
Copy link
Member

@brynary brynary commented Nov 29, 2025

Summary

  • Override node-forge dependency to version 1.3.2 to address CVE-2025-12816
  • The vulnerability in versions 1.3.1 and below allows ASN.1 validation bypass
  • This bypass could compromise cryptographic verifications in affected applications

Changes

  • Added npm override for node-forge to 1.3.2 in package.json
  • Updated package-lock.json with the new resolved version

Test plan

  • Verify npm install completes successfully
  • Verify npm run build completes without errors
  • Confirm node-forge version is 1.3.2 in node_modules

🤖 Generated with Claude Code

@brynary @claude
Fix node-forge ASN.1 validation bypass vulnerability (CVE-2025-12816)
23e5b41 
Override node-forge to version 1.3.2 to address a security vulnerability
in versions 1.3.1 and below. The vulnerability allowed ASN.1 validation
bypass which could compromise cryptographic verifications.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
Copilot AI review requested due to automatic review settings November 29, 2025 03:29
@CLAassistant
Copy link

CLAassistant commented Nov 29, 2025

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Copilot finished reviewing on behalf of brynary November 29, 2025 03:31
Copilot AI reviewed Nov 29, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request addresses CVE-2025-12816 by overriding the node-forge dependency to version 1.3.2, which fixes an ASN.1 validation bypass vulnerability. The package is used transitively through @devicefarmer/adbkit, a dependency of web-ext.

Key Changes:

  • Added npm override for node-forge to version 1.3.2 in package.json
  • Updated package-lock.json to reflect the new node-forge version

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Added node-forge override to version 1.3.2 alongside existing pino override
package-lock.json Updated node-forge version and metadata, but contains erroneous peer dependency markers on multiple packages

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@brynary @CLAassistant