Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)

Description

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.

Affected Products

Vendor	Product	Versions
digitalbazaar	forge	< 1.4.0

References

https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25(x_refsource_CONFIRM)
https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90(x_refsource_MISC)

Related News (2 articles)

Tier A

Microsoft MSRC2h ago

CVE-2026-33896 Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)

→ No new info (linked only)

Tier C

VulDB4d ago

CVE-2026-33896 | digitalbazaar forge 1.3.2 Certificate Chain certificate validation

→ No new info (linked only)

Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)

Description

Affected Products

References

Related News (2 articles)

Community Vote

Related CVEs (3)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History