CVE-2025-32029
April 07, 2025
ts-asn1-der is a collection of utility classes to encode ASN.1 data following DER rule. Incorrect number DER encoding can lead to denial on service for absolute values in the range 231 -- 232 - 1. The arithmetic in the numBitLen didn't take into account that values in this range could result in a negative result upon applying the >> operator, leading to an infinite loop. The issue is patched in version 1.0.4. If upgrading is not an option, the issue can be mitigated by validating inputs to Asn1Integer to ensure that they are not smaller than -231 + 1 and no larger than 231 - 1.
Affected Packages
https://github.com/ApelegHQ/ts-asn1-der.git (GITHUB):
Affected version(s) >=1.0.0 <1.0.4Fix Suggestion:
Update to version 1.0.4@apeleghq/asn1-der (NPM):
Affected version(s) >=1.0.2 <1.0.4Fix Suggestion:
Update to version 1.0.4Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.2
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
EPSS
Base Score:
0.04
