Critical DoS Flaw in node-forge 1.3.1 Prompts Urgent Update to 1.4.0

A high-severity Denial of Service (DoS) vulnerability in the widely used `node-forge` cryptography library has triggered an urgent update. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function inherited from the bundled jsbn library. When called with a zero value as input, the function's internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU resources. This creates a straightforward path for attackers to crash or paralyze dependent applications.

The vulnerability was reported by a researcher known as Kr0emer and has been addressed in the newly released node-forge version 1.4.0. The security advisory, published by the maintainers at Digital Bazaar, carries a HIGH severity rating. The fix is critical for any project, like the referenced `ui-frontend/packages/catalog-ui-search`, that relies on this library for cryptographic operations, including TLS/SSL, X.509 certificates, and other PKI functions.

This incident underscores the persistent supply chain risks in open-source software, where a single vulnerable dependency can compromise entire application stacks. Development teams must immediately audit their projects for the affected version (1.3.1 and prior) and upgrade to 1.4.0 to mitigate the risk of service disruption. The prompt release of a patch highlights the responsive security maintenance of the `node-forge` project, but the onus remains on downstream consumers to apply the update before the vulnerability is exploited in the wild.