A high-severity vulnerability in the widely used node-forge JavaScript cryptography library allows attackers to forge trusted certificate chains by exploiting a lack of enforcement of RFC 5280 basicConstraints requirements, enabling any standard leaf certificate to impersonate a Certificate Authority (CA).
CVE-2026-33896 (GHSA-2328-f5f3-gj25) was published on March 27, 2026, by security researcher Doruk Tan Ozturk and affects all node-forge versions ≤ 1.3.3.
The flaw resides in the pki.verifyCertificateChain() function and is classified under CWE-295 (Improper Certificate Validation).
Node-Forge Vulnerability Overview
The vulnerability carries a CVSS v3.1 score of High, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, reflecting network-accessible, no-privilege-required exploitation with complete compromise of confidentiality and integrity.
node-forge is a native JavaScript implementation of Transport Layer Security (TLS), PKI, and cryptographic utilities widely deployed in Node.js ecosystems for custom certificate validation, S/MIME operations, IoT device authentication, and PKCS#7 signature workflows.
Its broad adoption across production-grade npm packages makes the attack surface of this flaw particularly significant.
Forge Trusted Certificates
The root cause lies in lib/x509.js verifyCertificateChain() function (approximately lines 3147–3199). The function contains two separate conditional CA authorization checks: the keyUsage Check is gated on keyUsageExt !== null, and the basicConstraints.cA Check is gated on bcExt !== null.
When an intermediate certificate carries neither the basicConstraints nor the keyUsage extension, both checks are silently skipped, and the certificate passes all CA validation logic without ever being scrutinized.
This directly violates RFC 5280 Section 6.1.4 step (k), which mandates: “If certificate i is a version 3 certificate, verify that the basicConstraints extension is present and that cA is set to TRUE.” Under the RFC, the absence of basicConstraints must result in rejection of the certificate as a CA node; forge, instead, treats its absence as a pass-through condition.
The confirmed behavior from the researcher’s Proof of Concept is:
- Certificate with NO extensions → Accepted as CA (vulnerable RFC 5280 violation)
- Certificate with
basicConstraints.cA=false→ Correctly rejected - Certificate with
keyUsagebut nokeyCertSign→ Correctly rejected - Legitimate intermediate CA → Correctly accepted
Attack Scenario and Real-World Impact
An attacker who possesses any valid leaf TLS certificate, such as a domain certificate for attacker.com that was issued without basicConstraints or keyUsage extensions can weaponize it to sign certificates for any arbitrary domain.
Any application using pki.verifyCertificateChain() For validation, we will accept the resulting forged chain as fully trusted.
The attack requires high complexity, as the adversary must be positioned to deliver the crafted chain, for example, via a man-in-the-middle scenario or a compromised certificate distribution endpoint.
However, because no privileges are required and no user interaction is needed, the exploitation window is broad in environments where node-forge is used for non-native TLS validation.
Affected application categories include:
- Custom PKI and certificate pinning implementations
- S/MIME and PKCS#7 signature verification pipelines
- IoT device certificate provisioning and validation
- Any enterprise system using node-forge instead of native TLS APIs
This vulnerability campaign belongs to a historically dangerous class of CA bypass flaws, sharing a lineage with CVE-2014-0092 (GnuTLS certificate verification bypass), CVE-2015-1793 (OpenSSL alternative chain bypass), and CVE-2020-0601 (Windows CryptoAPI spoofing).
Patch and Suggested Fix
The vulnerability is fully patched in node-forge version 1.4.0, released to address this specific flaw. The fix introduces an explicit check for missing basicConstraints on non-leaf certificates before the chain verification completes.
The suggested code-level remediation adds the following logic immediately after the keyUsage Check the block and before the cA check:
if(error === null && bcExt === null) {
error = {
message: 'Certificate is missing basicConstraints extension and cannot be used as a CA.',
error: pki.certificateError.bad_certificate
};
}Apache OpenSearch Dashboards has already flagged and is actively patching this via a dependency bump from node-forge 1.3.2 to 1.4.0.
Mitigation Guidance
Organizations and developers relying on node-forge should take immediate action:
- Upgrade immediately to
node-forge >= 1.4.0vianpm install node-forge@1.4.0 - Audit dependency trees using
npm auditor tools like Snyk and SonarQube to identify transitive usage of vulnerable versions - Implement certificate pinning as a compensating control to restrict trusted certificates and bypass chain validation flaws
- Consider native TLS APIs for security-critical applications to avoid third-party PKI implementation risks
- Verify intermediate certificates manually in legacy deployments where an immediate upgrade is not feasible
| Date | Event |
|---|---|
| March 10, 2026 | Report submitted |
| March 27, 2026 | GHSA-2328-f5f3-gj25 |
| June 8, 2026 | 90-day coordinated disclosure deadline |
Frequently Asked Questions
Q1: What is CVE-2026-33896?
It is a high-severity basicConstraints bypass in node-forge’s pki.verifyCertificateChain() that allows any leaf certificate lacking basicConstraints and keyUsage extensions that are accepted as valid CAs, in violation of RFC 5280.
Q2: Which versions of node-forge are affected?
All versions up to and including 1.3.3 are affected; upgrading to 1.4.0 fully resolves the issue.
Q3: Can an attacker exploit this remotely without authentication?
Yes, the CVSS vector confirms network-based exploitation requiring no privileges or user interaction, though high attack complexity (e.g., MitM positioning) is required.
Q4: How do I check if my project uses a vulnerable version of node-forge?
Run npm audit or use Snyk/SonarQube to scan your dependency tree for node-forge versions below 1.4.0, including transitive dependencies.
Site: http://thecybrdef.com
About the Author
