Vulnerability Database

309,587

Total vulnerabilities in the database

Prototype Pollution in node-forge util.setPath API

Impact

forge.util.setPath had a potential prototype pollution issue if called with untrusted keys. This API was not used by forge itself.

Patches

The forge.util.setPath API and related functions were removed in 0.10.0.

Workarounds

Don't call forge.util.setPath directly or indirectly with untrusted keys.

References

https://security.snyk.io/vuln/SNYK-JS-NODEFORGE-598677
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720

For more information

If you have any questions or comments about this advisory:

Open an issue in forge.
Email us at support@digitalbazaar.com.

Published: Jan 8, 2022
Updated: Apr 14, 2023
GHSA: GHSA-wxgw-qj99-44c2
Severity: Low
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
digitalbazaar / node-forge	-	0.10.0

https://github.com/digitalbazaar/forge/security/advisories/GHSA-wxgw-qj99-44c2

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime