Nixpkgs security tracker

Login with GitHub

Suggestion detail

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-33895

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 2 months, 3 weeks ago by @pyrox0 Activity log

Created suggestion 2 months, 3 weeks ago
@pyrox0 dismissed (not in Nixpkgs) 2 months, 3 weeks ago

Forge has signature forgery in Ed25519 due to missing S > L check

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signature and its `S + L` variant both verify in forge, while Node.js `crypto.verify` (OpenSSL-backed) rejects the `S + L` variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.

References

https://github.com/digitalbazaar/forge/security/advisories/GHSA-q67f-28xg-22rw x_refsource_CONFIRM
https://github.com/digitalbazaar/forge/commit/bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85 x_refsource_MISC
https://datatracker.ietf.org/doc/html/rfc8032#section-8.4 x_refsource_MISC

Affected products

forge

==< 1.4.0

Matching in nixpkgs

pkgs.forge

None

pkgs.forgejo

Self-hosted lightweight software forge

nixos-unstable 14.0.3
- nixpkgs-unstable 14.0.3
- nixos-unstable-small 14.0.3

pkgs.fontforge

Font editor

nixos-unstable 20251009
- nixpkgs-unstable 20251009
- nixos-unstable-small 20251009

pkgs.forge-mtg

Magic: the Gathering card game with rules enforcement

nixos-unstable 2.0.11
- nixpkgs-unstable 2.0.11
- nixos-unstable-small 2.0.11

pkgs.mindforger

Thinking Notebook & Markdown IDE

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.forgejo-cli

CLI application for interacting with Forgejo

nixos-unstable 0.4.1
- nixpkgs-unstable 0.4.1
- nixos-unstable-small 0.4.1

pkgs.forgejo-lts

Self-hosted lightweight software forge

nixos-unstable 11.0.11
- nixpkgs-unstable 11.0.11
- nixos-unstable-small 11.0.11

pkgs.forgejo-mcp

Model Context Protocol (MCP) server for interacting with the Forgejo REST API

nixos-unstable 2.16.0
- nixpkgs-unstable 2.16.0
- nixos-unstable-small 2.16.0

pkgs.mcdreforged

Rewritten version of MCDaemon, a python tool to control your Minecraft server

nixos-unstable 2.15.7
- nixpkgs-unstable 2.15.7
- nixos-unstable-small 2.15.7

pkgs.forge-sparks

Get Git forges notifications

nixos-unstable 1.0.1
- nixpkgs-unstable 1.0.1
- nixos-unstable-small 1.0.1

pkgs.fontforge-gtk

Font editor

nixos-unstable 20251009
- nixpkgs-unstable 20251009
- nixos-unstable-small 20251009

pkgs.forgejo-runner

Runner for Forgejo based on act

nixos-unstable 12.7.3
- nixpkgs-unstable 12.7.2
- nixos-unstable-small 12.7.3

pkgs.fontforge-fonttools

Font editor

nixos-unstable 20251009
- nixpkgs-unstable 20251009
- nixos-unstable-small 20251009

pkgs.gnomeExtensions.forge

Tiling and window manager for GNOME

nixos-unstable 49.3-development
- nixpkgs-unstable 49.3-development
- nixos-unstable-small 49.3-development

pkgs.python312Packages.fontforge

None

pkgs.python313Packages.fontforge

Font editor

nixos-unstable 20251009
- nixpkgs-unstable 20251009
- nixos-unstable-small 20251009

pkgs.python314Packages.fontforge

Font editor

nixos-unstable 20251009
- nixpkgs-unstable 20251009
- nixos-unstable-small 20251009

pkgs.python312Packages.mcdreforged

None

pkgs.python313Packages.mcdreforged

Rewritten version of MCDaemon, a python tool to control your Minecraft server

nixos-unstable 2.15.7
- nixpkgs-unstable 2.15.7
- nixos-unstable-small 2.15.7

pkgs.python314Packages.mcdreforged

Rewritten version of MCDaemon, a python tool to control your Minecraft server

nixos-unstable 2.15.7
- nixpkgs-unstable 2.15.7
- nixos-unstable-small 2.15.7

pkgs.python312Packages.browserforge

None

pkgs.python313Packages.browserforge

Intelligent browser header & fingerprint generator

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

pkgs.python314Packages.browserforge

Intelligent browser header & fingerprint generator

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

pkgs.nodePackages.%40electron-forge%2Fcli

None

pkgs.nodePackages_latest.%40electron-forge%2Fcli

None

Package maintainers

@philiptaron Philip Taron <philip.taron@gmail.com>
@UlyssesZh Ulysses Zhan <ulysseszhan@gmail.com>
@dyegoaurelio Dyego Aurelio <d@dyego.email>
@eigengrau Sebastian Reuße <seb@schattenkopie.de>
@Aleksanaa Aleksana QwQ <me@aleksana.moe>
@getchoo Seth Flynn <getchoo@tuta.io>
@michaelgrahamevans Michael Evans <michaelgrahamevans@gmail.com>
@christoph-heiss Christoph Heiss <christoph@c8h4.io>
@tebriel tebriel <tebriel@frodux.in>
@bendlas Herwig Hochleitner <herwig@bendlas.net>
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@emilylange Emily Lange <nix@emilylange.de>
@nycodeghg Marie Ramlow <tabmeier12+nix@gmail.com>
@pyrox0 Pyrox <pyrox@pyrox.dev>
@isabelroses Isabel Roses <isabel@isabelroses.com>
@0xda157 0xda157 <da157@voidq.com>
@nrabulinski Nikodem Rabuliński <1337-nix@nrab.lol>
@agustinmista Agustin Mista <agustin@mista.me>
@Moraxyc Moraxyc Xu <i@qaq.li>
@cyplo Cyryl Płotnicki <nixos@cyplo.dev>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@malikwirin Malik <abdelmalik.najhi@stud.hs-kempten.de>