Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled jsbn library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% of CPU resources.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in the newly released version 1.4.0 of `node-forge`. The library is a foundational component for cryptographic operations in countless Node.js applications, making this patch a high-priority update for development and security teams.

This fix is critical for any application or service that uses `node-forge` for tasks involving modular inverse calculations, such as certain RSA operations. Failure to upgrade leaves systems vulnerable to a trivial attack vector where an attacker can trigger the infinite loop with a crafted zero input, leading to complete service unavailability. The advisory underscores the persistent risk of inherited vulnerabilities in bundled dependencies and the necessity of proactive dependency management.