Critical DoS Flaw in Node-Forge Library Patched in Version 1.4.0

A high-severity Denial of Service (DoS) vulnerability has been patched in the widely used `node-forge` cryptography library. The flaw, tracked as CVE-2026-XXXX, resides in the `BigInteger.modInverse()` function. When called with a zero value as input, the function triggers an infinite loop in the underlying Extended Euclidean Algorithm, causing the Node.js process to hang indefinitely and consume 100% CPU resources. This vulnerability is inherited from the library's bundled `jsbn` dependency and was reported by security researcher Kr0emer.

The patch is included in `node-forge` version 1.4.0, released on March 24, 2026. The update addresses the specific condition that leads to the unreachable exit state. This is a critical security fix for any application or service that utilizes `node-forge` for cryptographic operations, particularly those involving modular inverse calculations. The vulnerability is rated as HIGH severity, indicating a significant risk to system availability.

This update highlights the persistent risk of inherited vulnerabilities in bundled dependencies within foundational open-source libraries. Developers using `node-forge` in projects, such as the referenced `/quiz-app` directory, must prioritize upgrading to version 1.4.0 or later to mitigate the immediate DoS risk. Failure to patch leaves applications vulnerable to trivial attacks that could crash services by supplying a malicious zero input to the affected function.