{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/certificate-forgery/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["certificate-forgery","man-in-the-middle","node-forge","basicConstraints"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability exists in the node-forge npm package, specifically in versions 1.3.3 and earlier. The \u003ccode\u003epki.verifyCertificateChain()\u003c/code\u003e function doesn\u0026rsquo;t properly validate the \u003ccode\u003ebasicConstraints\u003c/code\u003e extension during certificate chain verification, as specified in RFC 5280. When an intermediate certificate lacks both the \u003ccode\u003ebasicConstraints\u003c/code\u003e and \u003ccode\u003ekeyUsage\u003c/code\u003e extensions, the verification process incorrectly skips crucial checks, leading to the acceptance of the certificate as a valid CA. This allows attackers to forge certificates and perform man-in-the-middle attacks against applications using node-forge for custom PKI implementations, S/MIME signature verification, IoT device certificate validation, or any other non-native TLS certificate chain verification. The vulnerability was reported on 2026-03-10 via GitHub Security Advisory and assigned CVE-2026-33896.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker obtains a valid leaf certificate (e.g., a TLS certificate) that lacks both the \u003ccode\u003ebasicConstraints\u003c/code\u003e and \u003ccode\u003ekeyUsage\u003c/code\u003e extensions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this leaf certificate to sign a malicious certificate for a target domain (e.g., \u003ccode\u003evictim.example.com\u003c/code\u003e). The forged certificate appears to be issued by a legitimate but compromised CA.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts network traffic between a client and a server.\u003c/li\u003e\n\u003cli\u003eThe attacker presents the forged certificate chain (root CA -\u0026gt; compromised leaf CA -\u0026gt; malicious certificate for victim.example.com) to the client.\u003c/li\u003e\n\u003cli\u003eThe client application uses node-forge\u0026rsquo;s \u003ccode\u003epki.verifyCertificateChain()\u003c/code\u003e function to validate the certificate chain.\u003c/li\u003e\n\u003cli\u003eDue to the missing \u003ccode\u003ebasicConstraints\u003c/code\u003e and \u003ccode\u003ekeyUsage\u003c/code\u003e extensions in the compromised leaf certificate, the validation process incorrectly accepts the certificate chain as valid.\u003c/li\u003e\n\u003cli\u003eThe client establishes a TLS connection with the attacker, believing they are communicating with the legitimate server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then eavesdrop on, modify, or block the communication between the client and the server, leading to data theft, account compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete compromise of applications relying on node-forge for certificate validation. An attacker can forge certificates for any domain, allowing them to perform man-in-the-middle attacks, intercept sensitive data, and impersonate legitimate services.  The number of potential victims is large, affecting any application using node-forge for custom PKI implementations, S/MIME signature verification, IoT device certificate validation, and any non-native-TLS certificate chain verification.  The severity is high, as it bypasses fundamental security controls related to certificate trust.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to node-forge version 1.3.4 or later, which includes the fix for CVE-2026-33896.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect the execution of node-forge with vulnerable versions to identify potentially affected systems.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider patching the \u003ccode\u003elib/x509.js\u003c/code\u003e file in your node-forge installation with the fix suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T22:06:12Z","date_published":"2026-03-26T22:06:12Z","id":"/briefs/2026-07-node-forge-basic-constraints-bypass/","summary":"Node-forge's certificate chain verification fails to enforce RFC 5280 basicConstraints, allowing leaf certificates without basicConstraints and keyUsage extensions to act as Certificate Authorities, leading to potential certificate forgery and man-in-the-middle attacks.","title":"Node-Forge Certificate Chain Verification Bypass due to basicConstraints Violation","url":"https://feed.craftedsignal.io/briefs/2026-07-node-forge-basic-constraints-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Certificate-Forgery","version":"https://jsonfeed.org/version/1.1"}