CVE-2025-12816 — Interpretation Conflict in Bazaar Node-forge
Severity
8.6HIGHNVD
EPSS
0.1%
top 77.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 25
Latest updateMar 26
Description
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 3.9 | Impact: 4.0
Affected Packages7 packages
Patches
🔴Vulnerability Details
5GHSA▶
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)↗2026-03-26
OSV▶
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)↗2026-03-26
GHSA▶
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization↗2025-11-26
OSV▶
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization↗2025-11-26
OSV▶
CVE-2025-12816: An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1↗2025-11-25
📋Vendor Advisories
4Red Hat▶
node-forge: node-forge: Interpretation conflict vulnerability allows bypassing cryptographic verifications↗2025-11-25
Microsoft▶
CVE-2025-12816: CVE-2025-12816
Mariner: Mariner
certcc: certcc
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn↗2025-11-11
Debian▶
CVE-2025-12816: node-node-forge - An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 ...↗2025