CVE-2026-33896 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` do…
High CVSS: 7.4

CVE-2026-33896

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
Vendor
-
Product
-
CWE
CWE-295
Yayın Tarihi
2026-03-27 21:17:26
Güncelleme
2026-03-30 19:16:25
Source Identifier
security-advisories@github.com
KEV Date Added
-

Kategoriler

CWE-295 HIGH 2026

Referanslar

https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90 https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25 https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25