Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled jsbn library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% of CPU resources.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in the newly released version 1.4.0 of `node-forge`, published on March 24, 2026. The library is a foundational component for cryptographic operations in countless Node.js applications, including those handling TLS, SSH, and digital signatures. The specific infinite loop condition presents a clear vector for resource exhaustion attacks.

This mandatory patch signals immediate pressure on development and security teams to update dependencies. Any application using a vulnerable version (1.3.1 or earlier) is exposed to a trivial DoS attack that could cripple service availability. The fix underscores the persistent risk in core cryptographic dependencies and the cascading impact a single function can have across the software supply chain. Organizations must audit their dependency trees for `node-forge` and prioritize this update to mitigate operational risk.