Nixpkgs security tracker
7.4 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): NONE
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid. Version 1.4.0 patches the issue.
References
Affected products
- ==< 1.4.0
Matching in nixpkgs
pkgs.forge
OpenGL interop library that can be used with ArrayFire or any other application using CUDA or OpenCL compute backend
pkgs.forgejo
Self-hosted lightweight software forge
pkgs.fontforge
Font editor
pkgs.forge-mtg
Magic: the Gathering card game with rules enforcement
pkgs.mindforger
Thinking Notebook & Markdown IDE
pkgs.forgejo-cli
CLI application for interacting with Forgejo
pkgs.forgejo-lts
Self-hosted lightweight software forge
pkgs.forgejo-mcp
Model Context Protocol (MCP) server for interacting with the Forgejo REST API
pkgs.mcdreforged
Rewritten version of MCDaemon, a python tool to control your Minecraft server
pkgs.forge-sparks
Get Git forges notifications
pkgs.fontforge-gtk
Font editor
pkgs.forgejo-runner
Runner for Forgejo based on act
pkgs.fontforge-fonttools
Font editor
pkgs.gnomeExtensions.forge
Tiling and window manager for GNOME
-
nixos-unstable 49.3-development
- nixpkgs-unstable 49.3-development
- nixos-unstable-small 49.3-development
-
nixos-25.11 49.3-development
- nixos-25.11-small 49.3-development
- nixpkgs-25.11-darwin 49.3-development
pkgs.python312Packages.fontforge
Font editor
pkgs.python313Packages.fontforge
Font editor
pkgs.python314Packages.fontforge
Font editor
pkgs.python312Packages.mcdreforged
Rewritten version of MCDaemon, a python tool to control your Minecraft server
pkgs.python313Packages.mcdreforged
Rewritten version of MCDaemon, a python tool to control your Minecraft server
pkgs.python314Packages.mcdreforged
Rewritten version of MCDaemon, a python tool to control your Minecraft server
pkgs.python312Packages.browserforge
Intelligent browser header & fingerprint generator
pkgs.python313Packages.browserforge
Intelligent browser header & fingerprint generator
pkgs.python314Packages.browserforge
Intelligent browser header & fingerprint generator
Package maintainers
-
@UlyssesZh Ulysses Zhan <ulysseszhan@gmail.com>
-
@philiptaron Philip Taron <philip.taron@gmail.com>
-
@chessai Daniel Cartwright <chessai1996@gmail.com>
-
@twesterhout Tom Westerhout
-
@eigengrau Sebastian Reuße <seb@schattenkopie.de>
-
@michaelgrahamevans Michael Evans <michaelgrahamevans@gmail.com>
-
@getchoo Seth Flynn <getchoo@tuta.io>
-
@Aleksanaa Aleksana QwQ <me@aleksana.moe>
-
@emilylange Emily Lange <nix@emilylange.de>
-
@nycodeghg Marie Ramlow <tabmeier12+nix@gmail.com>
-
@urandom2 Colin Arnott <colin@urandom.co.uk>
-
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
-
@pyrox0 Pyrox <pyrox@pyrox.dev>
-
@bendlas Herwig Hochleitner <herwig@bendlas.net>
-
@0xda157 0xda157 <da157@voidq.com>
-
@isabelroses Isabel Roses <isabel@isabelroses.com>
-
@christoph-heiss Christoph Heiss <christoph@c8h4.io>
-
@honnip Jung seungwoo <me@honnip.page>
-
@cyplo Cyryl Płotnicki <nixos@cyplo.dev>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>