Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% of CPU resources.

The vulnerability, reported by researcher Kr0emer, originates from code inherited from the bundled `jsbn` library. The `node-forge` library is a foundational tool for implementing cryptographic operations in JavaScript and is a dependency for thousands of applications and other npm packages. The release of version 1.4.0 directly addresses this security issue, moving from the vulnerable version 1.3.1.

This patch is critical for any project relying on `node-forge` for tasks involving modular inverse calculations, such as RSA key generation or certain cryptographic protocols. The high-severity rating underscores the risk of service disruption. Developers and security teams must prioritize this update to mitigate the risk of an attacker triggering the infinite loop, which could lead to complete application unresponsiveness and resource exhaustion in production environments.