High-Severity CVE-2026-33894 Detected in Critical node-forge Library, Exposes Webpack & React Supply Chain

A high-severity vulnerability, CVE-2026-33894, has been flagged within a widely used JavaScript cryptography library, node-forge version 1.3.3. The flaw is not directly in a primary application but is buried deep within the software supply chain, introduced via a nested dependency. This creates a significant, often overlooked, attack surface for any project relying on this dependency tree.

The vulnerable library, `node-forge-1.3.3.tgz`, provides critical cryptographic functions. It was detected in the `/ui/node_modules/` directory of a project. The exposure path is particularly concerning: the vulnerability enters through the `selfsigned` package (v2.4.1), which is a dependency of `webpack-dev-server` (v4.15.2). This server is, in turn, a core tool for `react-scripts` (v5.0.1), a foundational package for countless React applications. The root of this chain is the `@postgres.ai/ce-4.0.3.tgz` library, indicating the issue could affect a broad range of development and deployment environments.

The presence of this CVE in the project's `master` branch signifies an active, unpatched risk in production or primary development code. For development teams using `react-scripts` and `webpack-dev-server`, this creates immediate pressure to audit their dependency trees. The risk is not from a direct import but from a transitive dependency, a common blind spot in security scans. This pattern highlights the critical need for comprehensive Software Composition Analysis (SCA) that tracks vulnerabilities through multiple layers of dependencies, not just direct project imports.