Update node-forge to fix CVE-2025-66031

[moosthuizen42]

[READ] Step 1: Are you in the right place?

• For issues related to the code in this repository file a Github issue.
• If the issue pertains to Cloud Firestore, read the instructions in the "Firestore issue"
  template.
• For general technical questions, post a question on StackOverflow
  with the firebase tag.
• For general Firebase discussion, use the firebase-talk
  google group.
• For help troubleshooting your application that does not fall under one
  of the above categories, reach out to the personalized
  Firebase support channel.

[REQUIRED] Step 2: Describe your environment

• Operating System version: node:24.10-bookworm
• Firebase SDK version: 13.2.0
• Firebase Product: auth
• Node.js version: 24.10.0
• NPM version: 11.6.1

[REQUIRED] Step 3: Describe the problem

See:

• GHSA-554w-wpv2-vw27
• https://www.tenable.com/cve/CVE-2025-66031

Steps to reproduce:

• Add firebase-admin@13.2.0 to a project as a dependency
• Run npm audit
• Receive the following warning:

# npm audit report

node-forge  <=1.3.1
Severity: high
node-forge has ASN.1 Unbounded Recursion - https://github.com/advisories/GHSA-554w-wpv2-vw27
node-forge is vulnerable to ASN.1 OID Integer Truncation - https://github.com/advisories/GHSA-65ch-62r8-g69g
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization - https://github.com/advisories/GHSA-5gfm-wpxj-wjgq
fix available via `npm audit fix`
node_modules/node-forge

[moosthuizen42]

@lahirumaramba @dconeybe I apologize if pinging you like this is poor etiquette. I see you are maintainers and have recently responded to issues, so thank you for the work you are already doing.

I would like to ask for acknowledgement of this issue. Is this a good candidate for a first-time contributor to take a look at?

[dconeybe]

Hi @moosthuizen42 thanks for reminding us of this issue. It must have slipped through the cracks. My involvement in this repository is limited to Firestore. But I've updated the issue assignment to @lahirumaramba and @jonathanedey in hopes that one of them can give a relevant response.

[jonathanedey]

Hi @moosthuizen42, thanks for the reminder on this. We have a fix for this already merged #3024 but haven't gotten around to getting a release out.

In the meantime, please manually update the dependency in your environment. Since we set a version range for this dependancy you should be no conflict.

[lahirumaramba]

This should be resolved in v13.7.0. Please open a new issue if problems persist.