WS-2022-0008
Published:May 14, 2026
Updated:May 14, 2026
Impact The "forge.debug" API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way. Patches The "forge.debug" API and related functions were removed in 1.0.0. Workarounds Don't use the "forge.debug" API directly or indirectly with untrusted input. References - https://www.huntr.dev/bounties/1-npm-node-forge/ For more information If you have any questions or comments about this advisory: * Open an issue in "forge" (https://github.com/digitalbazaar/forge). * Email us at support@digitalbazaar.com.
Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.6
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')