CVE-2025-66031 — Uncontrolled Recursion in Forge

CWE-674 — Uncontrolled Recursion8 documents7 sources

Severity

8.7HIGHNVD

EPSS

0.1%

top 66.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

4

Digitalbazaar Forge Debian Node-node-forge Msrc Azl3 Python-tensorboard 2.16.2-6 ON Azure Linux 3.0 +1 more

Timeline

PublishedNov 26

Latest updateMar 12

Description

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶debiandebian/node-node-forge

▶NVDdigitalbazaar/forge< 1.3.2

▶msrcmsrc/cbl2_reaper_3.1.1-19_on_cbl_mariner_2.0

▶msrcmsrc/azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

3

OSV

CVE-2025-66031: Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript↗2025-11-26

▶

GHSA

node-forge has ASN.1 Unbounded Recursion↗2025-11-26

▶

OSV

node-forge has ASN.1 Unbounded Recursion↗2025-11-26

▶

📋Vendor Advisories

4

CISA ICS

Siemens SIDIS Prime↗2026-03-12

▶

Red Hat

node-forge: node-forge ASN.1 Unbounded Recursion↗2025-11-26

▶

Microsoft

node-forge ASN.1 Unbounded Recursion↗2025-11-11

▶

Debian

CVE-2025-66031: node-node-forge - Forge (also called `node-forge`) is a native implementation of Transport Layer S...↗2025

▶

CVE-2025-66031 — Uncontrolled Recursion in Forge | cvebase