Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% of CPU resources.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in the newly released version 1.4.0 of `node-forge`. The library is a fundamental component for cryptographic operations in thousands of Node.js applications, making this patch a critical dependency update for developers and security teams.

This fix highlights the persistent risk of inherited vulnerabilities in bundled dependencies and underscores the operational threat of DoS conditions in core cryptographic functions. Organizations relying on `node-forge` versions prior to 1.4.0 are exposed to potential service disruption. The advisory, GHSA-..., mandates immediate action to update dependencies to mitigate the risk of exploitation, which could lead to unresponsive services and resource exhaustion in affected applications.