{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/signature-forgery/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ed25519","signature-forgery","forge","javascript"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Forge library, a popular JavaScript cryptography toolkit, exhibits a signature forgery vulnerability in its Ed25519 implementation. Specifically, the verification process lacks a critical check to ensure that the scalar \u0026lsquo;S\u0026rsquo; is less than the group order \u0026lsquo;L\u0026rsquo; (S \u0026lt; L). This omission enables the acceptance of non-canonical signatures, effectively forging signatures. This vulnerability affects Forge versions prior to 1.4.0. An attacker could exploit this flaw to bypass security mechanisms that rely on the uniqueness of cryptographic signatures, such as authentication systems, replay protection, and signed-object canonicalization checks. This is especially critical for applications assuming that valid signatures are unique. The issue was identified in commit \u003ccode\u003e8e1d527fe8ec2670499068db783172d4fb9012e5\u003c/code\u003e and has been present since the introduction of Ed25519 support.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an application using Forge\u0026rsquo;s Ed25519 implementation for signature verification.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a valid Ed25519 signature for a specific message using a legitimate key pair.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the valid signature by adding the Ed25519 group order \u0026lsquo;L\u0026rsquo; to the \u0026lsquo;S\u0026rsquo; component of the signature (bytes 32-63), creating a non-canonical signature.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the forged, non-canonical signature to the vulnerable application for verification.\u003c/li\u003e\n\u003cli\u003eThe Forge library, due to the missing \u0026lsquo;S \u0026lt; L\u0026rsquo; check, incorrectly validates the forged signature as authentic.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application accepts the forged signature, potentially granting unauthorized access or allowing malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully bypasses authentication or authorization controls that rely on signature validation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a bypass of authentication and authorization mechanisms in applications that rely on Forge\u0026rsquo;s Ed25519 implementation for signature verification. This could result in unauthorized access to sensitive data, account compromise, or the execution of malicious commands. The number of affected applications is potentially significant, given Forge\u0026rsquo;s widespread use in JavaScript-based systems. This is further compounded by the vulnerability existing since the initial implementation of Ed25519 in the library. The impact of this vulnerability will vary, depending on how signatures are used within the application. Applications that depend on unique signatures for integrity checks are at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Forge version 1.4.0 or later, which includes a fix for CVE-2026-33895 (\u003ca href=\"https://nvd.nist.gov/vuln/detail/CVE-2026-33895)\"\u003ehttps://nvd.nist.gov/vuln/detail/CVE-2026-33895)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eApply the provided patch to earlier versions of Forge to enforce strict canonical scalar validation in the Ed25519 verification path.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Forged Ed25519 Signatures via Modified S Value\u0026rdquo; to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eAudit applications using Forge to identify and remediate any reliance on signature uniqueness for security-critical functions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T22:08:55Z","date_published":"2026-03-26T22:08:55Z","id":"/briefs/2026-09-forge-ed25519-forgery/","summary":"Forge is vulnerable to signature forgery in Ed25519 due to a missing check that S \u003c L, allowing non-canonical signatures and potentially bypassing authentication/authorization logic, affecting versions before 1.4.0.","title":"Forge Ed25519 Signature Forgery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-09-forge-ed25519-forgery/"}],"language":"en","title":"CraftedSignal Threat Feed — Signature-Forgery","version":"https://jsonfeed.org/version/1.1"}