CVE-2022-24773 node-forge security vulnerability

[dsuresh-ap]

[READ] Step 1: Are you in the right place?

• For issues related to the code in this repository file a Github issue.
• If the issue pertains to Cloud Firestore, read the instructions in the "Firestore issue"
  template.
• For general technical questions, post a question on StackOverflow
  with the firebase tag.
• For general Firebase discussion, use the firebase-talk
  google group.
• For help troubleshooting your application that does not fall under one
  of the above categories, reach out to the personalized
  Firebase support channel.

[REQUIRED] Step 2: Describe your environment

• Operating System version: macOS
• Firebase SDK version: 9.5.0
• Firebase Product: Firebase-admin-node
• Node.js version: 10.16.3
• NPM version: 7

[REQUIRED] Step 3: Describe the problem

node-forge needs to be updated to >=1.3.0 to address this security issue.

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Steps to reproduce:

N/A

Relevant Code:

https://github.com/firebase/firebase-admin-node/blob/master/package.json#L168

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[lahirumaramba]

Thank you for filing this issue. This should be addressed in #1636 and will be included in the upcoming release.

In the meantime, please manually update the dependency in your environment. This is also one of the reasons why we set a version range (^1.0.0) instead of pinning to a specific version of a dependency in Admin SDK. If you do a fresh install of firebase-admin in a new project, npm will automatically fetch the latest version of node-forge, which is 1.3.1. If you have an existing project that you need to update there are a few ways to do this. You can remove node_modules and package-lock.json and then do a npm install to fetch the packages again. Please note that this might also update other dependencies in your project. Alternately, you can use resolutions key or overrides (in NPM 8+) in package.json.