Vulnerabilities

 3 via 3 paths

Dependencies

 10

Source

 GitHub

Commit

 84ddb922

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 1
  • 1
Status
  • 3
  • 0
  • 0

critical severity

Interpretation Conflict

  • Vulnerable module: node-forge
  • Introduced through: node-forge@1.3.1

Detailed paths

  • Introduced through: @walletpass/pass-js@destinationstransfers/passkit#84ddb92210a0243c5947a063d4e1d0654604d5ef node-forge@1.3.1
    Remediation: Upgrade to node-forge@1.3.2.

Overview

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Interpretation Conflict via the asn1.validate() function. An attacker can cause schema validation to become desynchronized, resulting in semantic divergence that may allow bypassing cryptographic verifications and security decisions, by passing in ASN.1 data with optional parameters that may be interpreted as object boundaries.

Remediation

Upgrade node-forge to version 1.3.2 or higher.

References

Interpretation Conflict vulnerability report

high severity

Uncontrolled Recursion

  • Vulnerable module: node-forge
  • Introduced through: node-forge@1.3.1

Detailed paths

  • Introduced through: @walletpass/pass-js@destinationstransfers/passkit#84ddb92210a0243c5947a063d4e1d0654604d5ef node-forge@1.3.1
    Remediation: Upgrade to node-forge@1.3.2.

Overview

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Uncontrolled Recursion via the fromDer function in asn1.js, which lacks recursion depth. An attacker can cause stack exhaustion and disrupt service availability by submitting specially crafted, deeply nested DER-encoded ASN.1 data.

Remediation

Upgrade node-forge to version 1.3.2 or higher.

References

Uncontrolled Recursion vulnerability report

medium severity

Integer Overflow or Wraparound

  • Vulnerable module: node-forge
  • Introduced through: node-forge@1.3.1

Detailed paths

  • Introduced through: @walletpass/pass-js@destinationstransfers/passkit#84ddb92210a0243c5947a063d4e1d0654604d5ef node-forge@1.3.1
    Remediation: Upgrade to node-forge@1.3.2.

Overview

node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the derToOid function in the asn1.js file, which decodes ASN.1 structures containing OIDs with oversized arcs. An attacker can bypass security decisions based on OID validation by crafting malicious ASN.1 data that exploits 32-bit bitwise truncation.

Remediation

Upgrade node-forge to version 1.3.2 or higher.

References

Integer Overflow or Wraparound vulnerability report