office-addin-dev-certs-1.11.3.tgz: 3 vulnerabilities (highest severity is: 8.6) #2835
Description
Vulnerable Library - office-addin-dev-certs-1.11.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (office-addin-dev-certs version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-12816 |  High |
8.6 | node-forge-1.3.1.tgz | Transitive | 1.11.4 | ❌ |
| CVE-2025-66031 | High |
7.5 | node-forge-1.3.1.tgz | Transitive | 1.11.4 | ❌ |
| CVE-2025-66030 |  Medium |
5.3 | node-forge-1.3.1.tgz | Transitive | 1.11.4 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-12816
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- office-addin-dev-certs-1.11.3.tgz (Root Library)
- mkcert-1.5.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
- mkcert-1.5.1.tgz
Found in base branch: master
Vulnerability Details
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Publish Date: 2025-11-25
URL: CVE-2025-12816
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-5gfm-wpxj-wjgq
Release Date: 2025-11-25
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (office-addin-dev-certs): 1.11.4
Step up your Open Source Security Game with Mend here
CVE-2025-66031
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- office-addin-dev-certs-1.11.3.tgz (Root Library)
- mkcert-1.5.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
- mkcert-1.5.1.tgz
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Publish Date: 2025-11-26
URL: CVE-2025-66031
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-554w-wpv2-vw27
Release Date: 2025-11-26
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (office-addin-dev-certs): 1.11.4
Step up your Open Source Security Game with Mend here
CVE-2025-66030
Vulnerable Library - node-forge-1.3.1.tgz
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- office-addin-dev-certs-1.11.3.tgz (Root Library)
- mkcert-1.5.1.tgz
- ❌ node-forge-1.3.1.tgz (Vulnerable Library)
- mkcert-1.5.1.tgz
Found in base branch: master
Vulnerability Details
Forge (also called "node-forge") is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Publish Date: 2025-11-26
URL: CVE-2025-66030
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-65ch-62r8-g69g
Release Date: 2025-11-26
Fix Resolution (node-forge): 1.3.2
Direct dependency fix Resolution (office-addin-dev-certs): 1.11.4
Step up your Open Source Security Game with Mend here