Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: forge-mtg

Found 4 matching suggestions

View:
Compact
Detailed
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-33896
7.4 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @pyrox0 Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @pyrox0 dismissed (not in Nixpkgs) 2 months, 3 weeks ago
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.

Affected products

forge
  • ==< 1.4.0

Matching in nixpkgs

pkgs.forgejo

Self-hosted lightweight software forge

pkgs.forge-mtg

Magic: the Gathering card game with rules enforcement

pkgs.forgejo-cli

CLI application for interacting with Forgejo

pkgs.forgejo-mcp

Model Context Protocol (MCP) server for interacting with the Forgejo REST API

pkgs.mcdreforged

Rewritten version of MCDaemon, a python tool to control your Minecraft server

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-33895
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @pyrox0 Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @pyrox0 dismissed (not in Nixpkgs) 2 months, 3 weeks ago
Forge has signature forgery in Ed25519 due to missing S > L check

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signature and its `S + L` variant both verify in forge, while Node.js `crypto.verify` (OpenSSL-backed) rejects the `S + L` variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed. Version 1.4.0 patches the issue.

Affected products

forge
  • ==< 1.4.0

Matching in nixpkgs

pkgs.forgejo

Self-hosted lightweight software forge

pkgs.forge-mtg

Magic: the Gathering card game with rules enforcement

pkgs.forgejo-cli

CLI application for interacting with Forgejo

pkgs.forgejo-mcp

Model Context Protocol (MCP) server for interacting with the Forgejo REST API

pkgs.mcdreforged

Rewritten version of MCDaemon, a python tool to control your Minecraft server

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-33891
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @pyrox0 Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @pyrox0 dismissed (not in Nixpkgs) 2 months, 3 weeks ago
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.

Affected products

forge
  • ==< 1.4.0

Matching in nixpkgs

pkgs.forgejo

Self-hosted lightweight software forge

pkgs.forge-mtg

Magic: the Gathering card game with rules enforcement

pkgs.forgejo-cli

CLI application for interacting with Forgejo

pkgs.forgejo-mcp

Model Context Protocol (MCP) server for interacting with the Forgejo REST API

pkgs.mcdreforged

Rewritten version of MCDaemon, a python tool to control your Minecraft server

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-33894
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @pyrox0 Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @pyrox0 dismissed (not in Nixpkgs) 2 months, 3 weeks ago
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.

Affected products

forge
  • ==< 1.4.0

Matching in nixpkgs

pkgs.forgejo

Self-hosted lightweight software forge

pkgs.forge-mtg

Magic: the Gathering card game with rules enforcement

pkgs.forgejo-cli

CLI application for interacting with Forgejo

pkgs.forgejo-mcp

Model Context Protocol (MCP) server for interacting with the Forgejo REST API

pkgs.mcdreforged

Rewritten version of MCDaemon, a python tool to control your Minecraft server