Node-Forge 1.4.0 Patches Critical DoS Flaw in `BigInteger.modInverse()` (CVE-2026-33891)

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% of CPU resources.

The vulnerability, rated as HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in the newly released version 1.4.0 of `node-forge`. The changelog explicitly warns of the DoS risk, highlighting that the infinite loop can be triggered by a specific, malformed input to the cryptographic function.

This patch is a mandatory update for any application or service that depends on `node-forge` for cryptographic operations, including TLS, SSH, X.509 certificates, and other PKI functions. The library is a foundational dependency for countless npm packages. Failure to upgrade leaves systems vulnerable to a trivial attack vector that could crash critical services by exhausting computational resources. Developers are urged to immediately bump their dependency from version 1.3.1 or earlier to 1.4.0 to mitigate this security risk.