digitalbazaar CVE Vulnerabilities & Metrics

Focus on digitalbazaar vulnerabilities and metrics.

Last updated: 16 Jan 2026, 23:25 UTC

About digitalbazaar Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with digitalbazaar. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total digitalbazaar CVEs: 8
Earliest CVE date: 01 Sep 2020, 10:15 UTC
Latest CVE date: 26 Nov 2025, 23:15 UTC

Latest CVE reference: CVE-2025-66031

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 3

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical digitalbazaar CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.54

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	3
4.0-6.9	4
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS digitalbazaar CVEs

These are the five CVEs with the highest CVSS scores for digitalbazaar, sorted by severity first and recency.

CVE-2020-7720 digitalbazaar Published on 01 Sep 2020, 10:15 UTC (CVSS: 7.5)
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.
CVE-2022-0122 digitalbazaar Published on 06 Jan 2022, 05:15 UTC (CVSS: 5.8)
forge is vulnerable to URL Redirection to Untrusted Site
CVE-2022-24773 digitalbazaar Published on 18 Mar 2022, 14:15 UTC (CVSS: 5.0)
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` versi...
CVE-2022-24772 digitalbazaar Published on 18 Mar 2022, 14:15 UTC (CVSS: 5.0)
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue...
CVE-2022-24771 digitalbazaar Published on 18 Mar 2022, 14:15 UTC (CVSS: 5.0)
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is be...

All CVEs for digitalbazaar

CVE-2025-66031 digitalbazaar vulnerability CVSS: 0 26 Nov 2025, 23:15 UTC

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.

CVE-2025-66030 digitalbazaar vulnerability CVSS: 0 26 Nov 2025, 23:15 UTC

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.

CVE-2025-12816 digitalbazaar vulnerability CVSS: 0 25 Nov 2025, 20:15 UTC

An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

CVE-2022-24773 digitalbazaar vulnerability CVSS: 5.0 18 Mar 2022, 14:15 UTC

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.

CVE-2022-24772 digitalbazaar vulnerability CVSS: 5.0 18 Mar 2022, 14:15 UTC

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.

CVE-2022-24771 digitalbazaar vulnerability CVSS: 5.0 18 Mar 2022, 14:15 UTC

Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. There are currently no known workarounds.

CVE-2022-0122 digitalbazaar vulnerability CVSS: 5.8 06 Jan 2022, 05:15 UTC

forge is vulnerable to URL Redirection to Untrusted Site

CVE-2020-7720 digitalbazaar vulnerability CVSS: 7.5 01 Sep 2020, 10:15 UTC

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.