Popular JavaScript library can be hacked to allow attacke...

Pro
Security

Popular JavaScript library can be hacked to allow attackers into user accounts News By Sead Fadilpašić published 27 November 2025

A package with 26 million weekly downloads carried a major flaw

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock / BEST-BACKGROUNDS)

Node-forge cryptography library flaw (CVE-2025-12816) allowed bypass of signature and certificate validation
CERT-CC warns of risks including authentication bypass and signed data tampering
Maintainers released version 1.3.2; developers urged to update immediately

A popular JavaScript cryptography library is vulnerable in a way which could allow threat actors to break into user accounts. The library has since been updated, and users are urged to move to the new version as soon as possible.

The bug was found in the ‘node-forge’ package, a popular cryptography tool that provides functions for things like encryption, decryption, hashing, digital signatures, TLS/SSL, and key generation, all without needing native modules.

Amazon Black Friday deals are live: here are our picks!

The bug lets an attacker craft a bogus ASN.1 data structure that tricks the library into skipping cryptographic checks and allowing signature, or certificate validation, to be bypassed. It is tracked as CVE-2025-12816 and is given a severity score of 8.6/10 (high). Abstract Syntax Notation One (ASN.1) is a standard format used for encoding data in certificates and cryptographic operations.

Significant impact

Carnegie Mellon CERT-CC also issued a security advisory, in which it said the bug can be abused in different ways, and may result in authentication bypass, signed data tempering, or misuses of certificate-related functions.

“In environments where cryptographic verification plays a central role in trust decisions, the potential impact can be significant,” CERT-CC said.

Node.js developers should care because node-forge is a core cryptography library used in countless web apps and services. It is also an immensely popular library, with almost 26 million weekly downloads on the Node Package Manager (npm) registry.

The vulnerability was discovered by cybersecurity researchers from Palo Alto Networks, and was responsibly disclosed to node-forge maintainers, who released a fix earlier this week.

Are you a pro? Subscribe to our newsletterContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

The fix brings the library to version 1.3.2, and developers using node-forge are urged to switch to the new version as soon as possible. As a general rule of thumb, developers should promptly update cryptography dependencies in Node.js projects, as even widely used, trusted packages can contain critical flaws.

Via BleepingComputer

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Security

Millions of developers could be open to attack after critical flaw exploited - here's what we know JavaScript code on a computer screen

An incredibly popular JavaScript library might have some worrying malware issues hacker hands at work with interface around

Dangerous npm packages are targeting developer credentials on Windows, Linux and Mac - here's what we know A hacker wearing a hoodie sitting at a computer, his face hidden.

A hacker wearing a hoodie sitting at a computer, his face hidden.

Compromised files replace npm packages with a combined 2 billion weekly downloads Virus symbol, computer protection, cyber attack, antivirus, digital worm and bug icon. Futuristic abstract concept 3d rendering illustration.

Virus symbol, computer protection, cyber attack, antivirus, digital worm and bug icon. Futuristic abstract concept 3d rendering illustration.

A terrifying, self-replicating malwaere has infected npm packages with over 2 million downloads per week - here's how to stay safe Code Skull

Worrying Framelink MCP security flaw could let hackers execute code remotely - here's how to stay safe Latest in Security Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard

Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard

This devious botnet tried a trial run during the recent AWS outage - so when will it be back? Code Skull

Asahi confirms cyberattack leaked data on 1.5 million customers Dark web monitoring

New macOS malware chain could cause a major security headache - here's what we know

Ransomware hackers attack SMBs being acquired to try and gain access to multiple companies A person holding a phone looking at a text with warning signs

A person holding a phone looking at a text with warning signs

Emergency alert systems across US disrupted following OnSolve CodeRED cyberattack Cyber-security

SitusAMC hack may have exposed data at major financial heavyweights Latest in News UBTech Walker S2

UBTech strikes deal with China to assist at border crossings, and this isn't a dystopian nightmare at all A promotional shot of Battlefield 6.

The Battlefield 6 week-long free-to-play period is now live – here's everything you need to know A Maingear Apex Rush Vaporware Drive gaming PC

Two manufacturers warn of price hikes for new PCs, so now's the time to buy Banking

EU clamps down on online fraud and hidden fees affecting online payment platforms V in Cyberpunk 2077: Phantom Liberty

Cyberpunk 2077 just beat The Witcher 3: Wild Hunt to a major sales milestone – and CD Projekt says the RPG isn’t done yet JavaScript code on a computer screen

Popular JavaScript library can be hacked to allow attackers into user accounts LATEST ARTICLES

1Popular JavaScript library can be hacked to allow attackers into user accounts
2The best camera for photography 2025
3The best vacuum cleaners you can buy right now
4This devious botnet tried a trial run during the recent AWS outage - so when will it be back?
5The best wireless headphones, chosen by our experts for all budgets

Popular JavaScript library can be hacked to allow attackers into user accounts

Significant impact

Related Articles

Anticipation for GTA 6 isn't enough to overshadow Rockstar Games' alleged union-busting scandal as a Scottish councillor calls for political action

Watch Post Malone pay tribute to NFL star Marshawn Kneeland during Halftime Show performance

In pictures: 2hollis’s London show brought out the city’s best dressed

Dazed Club explore surrealist photography and sound