Critical DoS Flaw in Node-Forge Library (CVE-2026-33891) Prompts Urgent Update to v1.4.0

A high-severity Denial of Service (DoS) vulnerability has been patched in the widely used `node-forge` cryptography library, forcing developers to urgently update to version 1.4.0. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function inherited from the bundled jsbn library. When this function is called with a zero value as input, it triggers an infinite loop, causing the Node.js process to hang indefinitely and consume 100% CPU resources. This creates a straightforward vector for service disruption in any application relying on the library for cryptographic operations.

The vulnerability was reported by a researcher known as Kr0emer and has been assigned a HIGH severity rating by the maintainers, Digital Bazaar. The issue is specific to the `modInverse()` method, a core component for modular inverse calculations used in various cryptographic protocols. The patch in version 1.4.0 resolves the unreachable exit condition in the internal Extended Euclidean Algorithm, eliminating the infinite loop.

This security update is critical for any project using `node-forge` for tasks like TLS/SSL, SSH, or X.509 certificate handling. The library is a foundational dependency for numerous npm packages and backend services. Failure to apply this patch leaves applications vulnerable to a simple, low-effort attack that could cripple server availability. The changelog for version 1.4.0 contains no other changes, underscoring the urgency of this security fix. Development teams should immediately review their dependency trees and upgrade to `[email protected]` to mitigate this DoS risk.