CVE-2022-24772 - Exploiting Signature Verification Flaw in node-forge’s PKCS#1 v1.5 Implementation

node-forge (sometimes called just forge) is a popular JavaScript library that implements cryptographic protocols—including full-featured TLS/SSL, and a variety of cryptographic primitives. If you’re developing Node.js apps or web tools that need cryptography without native dependencies, chances are you’ve run into it.

But in early 2022, node-forge’s implementation of RSA signature verification with PKCS#1 v1.5 proved far from perfect. Weakness in how DigestInfo ASN.1 parsing was handled led to CVE-2022-24772, a critical security bug.

This post breaks down what happened, why it matters, how attackers could exploit it, and what you need to fix it.

What is CVE-2022-24772?

According to the GitHub advisory and NVD entry, the core of the issue is:

> “node-forge’s RSA PKCS#1 v1.5 signature verification does not check for trailing, garbage bytes after decoding a DigestInfo ASN.1 structure. This allows padding bytes to be removed and garbage data added to forge a signature when a low public exponent is used.”

On verification, decrypt with the public key, decode the ASN.1, compare hashes

ASN.1 is a generic way to describe data structures; in this case, the DigestInfo layout specifies how to wrap the hash with some metadata. Critically, after the ASN.1 parser finds and verifies the hash data, it should check that there’s no “garbage” left—no extra bytes, no padding, nothing.

If you *don’t* check for extra trailing bytes, an attacker can sneak in unexpected data, bypassing proper validation.

The Vulnerability in node-forge

Before version 1.3., node-forge’s code for PKCS#1 v1.5 signature verification failed to check for unwanted trailing bytes.

The ASN.1 parser extracts the DigestInfo structure … but never checks if extra data remains.

- The signature is accepted if the hash *inside* the structure matches, regardless of what’s tacked on afterward.

If someone can tamper with the signature and append garbage—or trim necessary padding off—this opens the door to signature forgery, especially with weak public keys.

Attack Overview

With a low exponent like 3, it’s much easier for an attacker to craft a malicious signature “S” such that:

(S^e) mod N

decodes to something that looks enough like a valid DigestInfo, but with junk at the end.

Since older node-forge versions didn’t check for extra bytes, the signature passes verification.

Exploit Code Example

Below is a proof-of-concept in JavaScript (for educational use only!) that demonstrates how such an exploit could work. It assumes you have some way to find or craft a signature that tricks the parser.

const forge = require('node-forge');
// Vulnerable versions: < 1.3.

// Simulate attacker-crafted signature containing valid DigestInfo + extra junk
const fakeSignature = Buffer.from(
  '0001fffff...DER-ENABLED-DIGESTINFO...JUNKDATA', 'hex'
);

const publicKeyPem = `
-----BEGIN PUBLIC KEY-----
... victim's public key ...
-----END PUBLIC KEY-----
`;

const publicKey = forge.pki.publicKeyFromPem(publicKeyPem);

function verify(signature, message) {
  const md = forge.md.sha256.create();
  md.update(message, 'utf8');
  return publicKey.verify(
    md.digest().bytes(), 
    signature
  );
}

const ok = verify(fakeSignature, 'Important message');
console.log('Forged signature status:', ok);

*In vulnerable versions, this “trash-padded” signature could be accepted as valid!*

How Was It Fixed?

The fix, released in node-forge v1.3., adds an explicit check: after parsing the ASN.1 DigestInfo, any remaining bytes cause failure. This ensures that only exactly-formatted, full signatures pass verification.

> There are no effective workarounds other than updating. No configuration tweak or patch can mitigate this—you must upgrade.

**Check your projects for direct or transitive dependencies on node-forge (< 1.3.).**

- If you’re using a library that relies on node-forge for RSA signature verification—*especially if you accept signatures or certificates from untrusted sources*—consider them at risk.

**Update to node-forge@^1.3. ASAP.**

- Preferably, avoid using RSA with PKCS#1 v1.5 in new projects—use RSASSA-PSS, EdDSA, or ECDSA if possible.

A simple upgrade

npm install node-forge@^1.3.

Or, if you're managing dependencies in a larger project, run

npm audit fix

References and More Reading

- CVE-2022-24772 @ NVD
- GitHub Security Advisory for node-forge
- node-forge Changelog
- Original Fix Pull Request

Final Thoughts

The lesson of CVE-2022-24772 is clear: cryptographic code needs to be *paranoid*—never accept “almost right” input, and never skip safety checks. If you’re responsible for maintaining, auditing, or using cryptographic libraries, keep them patched, understand how they work, and always favor safer standards.

If you use node-forge for RSA signature validation, upgrade to 1.3. or later immediately to stay secure.

*Stay safe! If you found this helpful, share it with your team and ensure nobody’s left running an outdated, vulnerable node-forge.*

Timeline

Published on: 03/18/2022 14:15:00 UTC
Last modified on: 03/28/2022 14:10:00 UTC