node-forge Uncontrolled Recursion Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in node-forge, a JavaScript library for implementing Transport Layer Security. This issue affects versions through 1.3.1. The vulnerability arises from an unbounded recursion in the ASN.1 parser, specifically in the 'fromDer' function. Remote, unauthenticated attackers can exploit this by crafting deep ASN.1 structures that cause excessive recursive parsing, leading to stack exhaustion. This stack overflow results in a 'RangeError: Maximum call stack size exceeded' error, crashing the process that handles the parsing. The vulnerability is particularly concerning for applications that process untrusted DER inputs, as it can reliably incapacitate services using node-forge for TLS or certificate operations.

Impact

Exploitation of this vulnerability causes a stack overflow, crashing the Node.js process. This disruption can severely impact any application or service that relies on node-forge, especially those handling TLS connections or certificate parsing.

Remediation

Users can upgrade to node-forge version 1.3.2 or later to address this vulnerability.