Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% of CPU resources.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in `node-forge` version 1.4.0, released on March 24, 2026. The changelog for this release is explicitly dedicated to this security fix, underscoring its critical nature. The advisory is also published under GitHub Security Advisory ID GHSA-.

This patch is a mandatory update for any project or application that depends on `node-forge` for cryptographic operations, including TLS, SSH, X.509 certificates, and other PKI functions. The infinite loop condition presents a straightforward vector for resource exhaustion attacks, making systems vulnerable to disruption. Developers are under immediate pressure to bump their dependency from version 1.3.1 or earlier to 1.4.0 to mitigate this active security risk.