Vulnerability Description
ts-asn1-der is a collection of utility classes to encode ASN.1 data following DER rule. Incorrect number DER encoding can lead to denial on service for absolute values in the range 2**31 -- 2**32 - 1. The arithmetic in the numBitLen didn't take into account that values in this range could result in a negative result upon applying the >> operator, leading to an infinite loop. The issue is patched in version 1.0.4. If upgrading is not an option, the issue can be mitigated by validating inputs to Asn1Integer to ensure that they are not smaller than -2**31 + 1 and no larger than 2**31 - 1.
Related Weaknesses (CWE)
References
- https://github.com/ApelegHQ/ts-asn1-der/commit/b2bc9032cbe19755d234a27d79e47a7e5
- https://github.com/ApelegHQ/ts-asn1-der/security/advisories/GHSA-p4qw-7j9g-5h53
FAQ
What is CVE-2025-32029?
CVE-2025-32029 is a documented vulnerability. ts-asn1-der is a collection of utility classes to encode ASN.1 data following DER rule. Incorrect number DER encoding can lead to denial on service for absolute values in the range 2**31 -- 2**32 - 1....
How severe is CVE-2025-32029?
CVSS scoring is not yet available for CVE-2025-32029. Check NVD for updates.
Is there a patch for CVE-2025-32029?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.