Nixpkgs security tracker
7.5 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): High (H)
by @pyrox0 Activity log
- Created suggestion
- @pyrox0 dismissed (not in Nixpkgs)
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
References
Affected products
- ==< 1.4.0
Matching in nixpkgs
pkgs.forge
None
pkgs.forgejo
Self-hosted lightweight software forge
pkgs.fontforge
Font editor
pkgs.forge-mtg
Magic: the Gathering card game with rules enforcement
pkgs.mindforger
Thinking Notebook & Markdown IDE
pkgs.forgejo-cli
CLI application for interacting with Forgejo
pkgs.forgejo-lts
Self-hosted lightweight software forge
pkgs.forgejo-mcp
Model Context Protocol (MCP) server for interacting with the Forgejo REST API
pkgs.mcdreforged
Rewritten version of MCDaemon, a python tool to control your Minecraft server
pkgs.forge-sparks
Get Git forges notifications
pkgs.fontforge-gtk
Font editor
pkgs.forgejo-runner
Runner for Forgejo based on act
pkgs.fontforge-fonttools
Font editor
pkgs.gnomeExtensions.forge
Tiling and window manager for GNOME
-
nixos-unstable 49.3-development
- nixpkgs-unstable 49.3-development
- nixos-unstable-small 49.3-development
pkgs.python312Packages.fontforge
None
pkgs.python313Packages.fontforge
Font editor
pkgs.python314Packages.fontforge
Font editor
pkgs.python312Packages.mcdreforged
None
pkgs.python313Packages.mcdreforged
Rewritten version of MCDaemon, a python tool to control your Minecraft server
pkgs.python314Packages.mcdreforged
Rewritten version of MCDaemon, a python tool to control your Minecraft server
pkgs.python312Packages.browserforge
None
pkgs.python313Packages.browserforge
Intelligent browser header & fingerprint generator
pkgs.python314Packages.browserforge
Intelligent browser header & fingerprint generator
pkgs.nodePackages.%40electron-forge%2Fcli
None
Package maintainers
-
@philiptaron Philip Taron <philip.taron@gmail.com>
-
@UlyssesZh Ulysses Zhan <ulysseszhan@gmail.com>
-
@dyegoaurelio Dyego Aurelio <d@dyego.email>
-
@eigengrau Sebastian Reuße <seb@schattenkopie.de>
-
@Aleksanaa Aleksana QwQ <me@aleksana.moe>
-
@getchoo Seth Flynn <getchoo@tuta.io>
-
@michaelgrahamevans Michael Evans <michaelgrahamevans@gmail.com>
-
@christoph-heiss Christoph Heiss <christoph@c8h4.io>
-
@tebriel tebriel <tebriel@frodux.in>
-
@bendlas Herwig Hochleitner <herwig@bendlas.net>
-
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
-
@emilylange Emily Lange <nix@emilylange.de>
-
@nycodeghg Marie Ramlow <tabmeier12+nix@gmail.com>
-
@pyrox0 Pyrox <pyrox@pyrox.dev>
-
@isabelroses Isabel Roses <isabel@isabelroses.com>
-
@0xda157 0xda157 <da157@voidq.com>
-
@nrabulinski Nikodem Rabuliński <1337-nix@nrab.lol>
-
@agustinmista Agustin Mista <agustin@mista.me>
-
@cyplo Cyryl Płotnicki <nixos@cyplo.dev>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>