Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: nodePackages_latest.@electron-forge/cli

Found 23 matching suggestions

View:
Compact
Detailed
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-33891
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 3 weeks ago by @pyrox0 Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @pyrox0 dismissed (not in Nixpkgs) 2 months, 3 weeks ago
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.

Affected products

forge
  • ==< 1.4.0

Matching in nixpkgs

pkgs.forgejo

Self-hosted lightweight software forge

pkgs.forge-mtg

Magic: the Gathering card game with rules enforcement

pkgs.forgejo-cli

CLI application for interacting with Forgejo

pkgs.forgejo-mcp

Model Context Protocol (MCP) server for interacting with the Forgejo REST API

pkgs.mcdreforged

Rewritten version of MCDaemon, a python tool to control your Minecraft server

Dismissed
(not in Nixpkgs)
Permalink CVE-2026-33894
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 3 weeks ago by @pyrox0 Activity log
  • Created suggestion 2 months, 3 weeks ago
  • @pyrox0 dismissed (not in Nixpkgs) 2 months, 3 weeks ago
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries. Version 1.4.0 patches the issue.

Affected products

forge
  • ==< 1.4.0

Matching in nixpkgs

pkgs.forgejo

Self-hosted lightweight software forge

pkgs.forge-mtg

Magic: the Gathering card game with rules enforcement

pkgs.forgejo-cli

CLI application for interacting with Forgejo

pkgs.forgejo-mcp

Model Context Protocol (MCP) server for interacting with the Forgejo REST API

pkgs.mcdreforged

Rewritten version of MCDaemon, a python tool to control your Minecraft server

Untriaged
Permalink CVE-2025-5805
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
created 4 months, 4 weeks ago Activity log
  • Created suggestion 4 months, 4 weeks ago
WordPress Electron theme <= 1.8.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Electron: from n/a through <= 1.8.2.

Affected products

electron
  • =<<= 1.8.2

Matching in nixpkgs

pkgs.electron-mail

Unofficial Election-based ProtonMail desktop client