David Lehn

**Name of the Vulnerable Software and Affected Versions** node-forge versions prior to 1.3.0 **Description** The issue concerns the RSA PKCS#1 v1.5 signature verification code in node-forge, which is lenient in checking the digest algorithm structure. This leniency can allow a crafted structure to steal padding bytes and use the unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. **Recommendations** For versions prior to 1.3.0, update to version 1.3.0 to address the issue. As a temporary workaround, consider restricting the use of low public exponents in RSA signatures until the update is applied.

**Name of the Vulnerable Software and Affected Versions** node-forge versions prior to 1.3.0 **Description** The issue concerns the RSA PKCS#1 v1.5 signature verification code in node-forge, which does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. **Recommendations** For versions prior to 1.3.0, update to version 1.3.0 to address the issue. As a temporary workaround, consider restricting the use of low public exponents in RSA signatures until the update is applied.