Node-Forge Ed25519 Signature Forgery Vulnerability

A vulnerability in Node-Forge's Ed25519 signature verification allows the acceptance of forged, non-canonical signatures. This issue arises because the scalar 'S' in the signature is not properly reduced modulo the group order, allowing a valid signature to be manipulated and still pass verification. This flaw can bypass authentication and authorization checks in applications that rely on the uniqueness of signatures. The vulnerability is present in Node-Forge versions through 1.3.3 and has been patched in version 1.4.0.

Impact

Exploitation of this vulnerability allows for signature forgery, where a malicious actor can create a forged signature that is accepted as valid by the Node-Forge library. This forged signature can then be used to bypass authentication and authorization mechanisms in applications that rely on Ed25519 signatures.

Reproduction

The vulnerability can be reproduced by signing a message with a valid Ed25519 private key, then adding the Ed25519 order 'L' to the 'S' component of the signature. The modified signature, which is now non-canonical but still verifies correctly in Node-Forge, can be used to bypass signature uniqueness checks and authorization logic.

Remediation

Users can update to Node-Forge version 1.4.0 or later, where this vulnerability has been fixed.