CVE-2026-33895
Published: 27 March 2026
Summary
CVE-2026-33895 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Digitalbazaar Forge. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of software flaws such as the Ed25519 signature verification vulnerability in node-forge prior to version 1.4.0.
Mandates vulnerability scanning and monitoring that identifies known issues like CVE-2026-33895 in software dependencies including node-forge.
Requires implementation of cryptographic protections adhering to standards like RFC 8032, mitigating risks from improper Ed25519 signature verification that accepts non-canonical malleable signatures.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated exploitation against apps using the vulnerable library (T1190) and directly bypasses Ed25519 signature verification, subverting trust controls for signed objects/code (T1553.002).
NVD Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A…
more
valid signature and its `S + L` variant both verify in forge, while Node.js `crypto.verify` (OpenSSL-backed) rejects the `S + L` variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.
Deeper analysisAI
CVE-2026-33895 is a vulnerability in Forge, also known as node-forge, a JavaScript implementation of Transport Layer Security. Prior to version 1.4.0, the Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify successfully in Forge, while Node.js crypto.verify (backed by OpenSSL) rejects the S + L variant as specified.
Remote attackers can exploit this vulnerability with low complexity and no privileges required, per its CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). By crafting malleable signatures, attackers can bypass authentication and authorization logic. Applications depending on signature uniqueness—such as deduplication by signature bytes, replay tracking, or signed-object canonicalization checks—are susceptible to evasion.
The vulnerability is addressed in Forge version 1.4.0. The GitHub security advisory GHSA-q67f-28xg-22rw provides details, and the patching commit is at https://github.com/digitalbazaar/forge/commit/bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85. RFC 8032 section 8.4 defines the proper signature verification requirements.
This signature malleability issue has been exploited in practice to bypass security controls, as documented in related vulnerabilities CVE-2026-25793 and CVE-2022-35961.
Details
- CWE(s)