Nixpkgs security tracker
7.4 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): None (N)
by @pyrox0 Activity log
- Created suggestion
- @pyrox0 dismissed (not in Nixpkgs)
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
References
Affected products
- ==< 1.4.0
Matching in nixpkgs
pkgs.forge
None
pkgs.forgejo
Self-hosted lightweight software forge
pkgs.fontforge
Font editor
pkgs.forge-mtg
Magic: the Gathering card game with rules enforcement
pkgs.mindforger
Thinking Notebook & Markdown IDE
pkgs.forgejo-cli
CLI application for interacting with Forgejo
pkgs.forgejo-lts
Self-hosted lightweight software forge
pkgs.forgejo-mcp
Model Context Protocol (MCP) server for interacting with the Forgejo REST API
pkgs.mcdreforged
Rewritten version of MCDaemon, a python tool to control your Minecraft server
pkgs.forge-sparks
Get Git forges notifications
pkgs.fontforge-gtk
Font editor
pkgs.forgejo-runner
Runner for Forgejo based on act
pkgs.fontforge-fonttools
Font editor
pkgs.gnomeExtensions.forge
Tiling and window manager for GNOME
-
nixos-unstable 49.3-development
- nixpkgs-unstable 49.3-development
- nixos-unstable-small 49.3-development
pkgs.python312Packages.fontforge
None
pkgs.python313Packages.fontforge
Font editor
pkgs.python314Packages.fontforge
Font editor
pkgs.python312Packages.mcdreforged
None
pkgs.python313Packages.mcdreforged
Rewritten version of MCDaemon, a python tool to control your Minecraft server
pkgs.python314Packages.mcdreforged
Rewritten version of MCDaemon, a python tool to control your Minecraft server
pkgs.python312Packages.browserforge
None
pkgs.python313Packages.browserforge
Intelligent browser header & fingerprint generator
pkgs.python314Packages.browserforge
Intelligent browser header & fingerprint generator
pkgs.nodePackages.%40electron-forge%2Fcli
None
Package maintainers
-
@philiptaron Philip Taron <philip.taron@gmail.com>
-
@UlyssesZh Ulysses Zhan <ulysseszhan@gmail.com>
-
@dyegoaurelio Dyego Aurelio <d@dyego.email>
-
@eigengrau Sebastian Reuße <seb@schattenkopie.de>
-
@Aleksanaa Aleksana QwQ <me@aleksana.moe>
-
@getchoo Seth Flynn <getchoo@tuta.io>
-
@michaelgrahamevans Michael Evans <michaelgrahamevans@gmail.com>
-
@christoph-heiss Christoph Heiss <christoph@c8h4.io>
-
@tebriel tebriel <tebriel@frodux.in>
-
@bendlas Herwig Hochleitner <herwig@bendlas.net>
-
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
-
@emilylange Emily Lange <nix@emilylange.de>
-
@nycodeghg Marie Ramlow <tabmeier12+nix@gmail.com>
-
@pyrox0 Pyrox <pyrox@pyrox.dev>
-
@isabelroses Isabel Roses <isabel@isabelroses.com>
-
@0xda157 0xda157 <da157@voidq.com>
-
@nrabulinski Nikodem Rabuliński <1337-nix@nrab.lol>
-
@agustinmista Agustin Mista <agustin@mista.me>
-
@cyplo Cyryl Płotnicki <nixos@cyplo.dev>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>