1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Popular JavaScript library can be hacked to allow attackers into

    From TechnologyDaily@1337:1/100 to All on Thursday, November 27, 2025 15:45:11
    Popular JavaScript library can be hacked to allow attackers into user accounts

    Date:
    Thu, 27 Nov 2025 15:37:00 +0000

    Description:
    A package with 26 million weekly downloads carried a major flaw which has since been addressed.

    FULL STORY ======================================================================Node-for ge cryptography library flaw (CVE-2025-12816) allowed bypass of signature and certificate validation CERT-CC warns of risks including authentication bypass and signed data tampering Maintainers released version 1.3.2; developers
    urged to update immediately

    A popular JavaScript cryptography library is vulnerable in a way which could allow threat actors to break into user accounts. The library has since been updated, and users are urged to move to the new version as soon as possible.

    The bug was found in the node-forge package, a popular cryptography tool that provides functions for things like encryption, decryption, hashing, digital signatures, TLS/SSL, and key generation, all without needing native modules.

    The bug lets an attacker craft a bogus ASN.1 data structure that tricks the library into skipping cryptographic checks and allowing signature, or certificate validation, to be bypassed. It is tracked as CVE-2025-12816 and
    is given a severity score of 8.6/10 (high). Abstract Syntax Notation One (ASN.1) is a standard format used for encoding data in certificates and cryptographic operations. Significant impact

    Carnegie Mellon CERT-CC also issued a security advisory, in which it said the bug can be abused in different ways, and may result in authentication bypass, signed data tempering, or misuses of certificate-related functions.

    In environments where cryptographic verification plays a central role in
    trust decisions, the potential impact can be significant, CERT-CC said.

    Node.js developers should care because node-forge is a core cryptography library used in countless web apps and services. It is also an immensely popular library, with almost 26 million weekly downloads on the Node Package Manager (npm) registry.

    The vulnerability was discovered by cybersecurity researchers from Palo Alto Networks, and was responsibly disclosed to node-forge maintainers, who released a fix earlier this week.

    The fix brings the library to version 1.3.2, and developers using node-forge are urged to switch to the new version as soon as possible. As a general rule of thumb, developers should promptly update cryptography dependencies in Node.js projects, as even widely used, trusted packages can contain critical flaws.

    Via BleepingComputer

    Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the
    Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/popular-javascript-library-can-be-hacke d-to-allow-attackers-into-user-accounts


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)