Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in Core Crypto Library

A critical security update has been released for the widely-used `node-forge` cryptography library, patching a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function. When this function is called with a zero value as input, it triggers an infinite loop in the underlying Extended Euclidean Algorithm, causing the Node.js process to hang indefinitely and consume 100% of CPU resources. This vulnerability is inherited from the library's bundled `jsbn` component.

The patch is delivered in version 1.4.0 of `node-forge`, which bumps the version from 1.3.1. The vulnerability was reported by a researcher identified as Kr0emer. The `node-forge` library is a fundamental building block for cryptographic operations in the JavaScript and Node.js ecosystem, used by thousands of applications for tasks like TLS, SSH, and digital signatures. Its integration into dependency chains means the flaw could have widespread, cascading impacts if left unpatched.

This update signals immediate pressure on development and security teams to audit their dependency trees. Any project relying on `node-forge` versions prior to 1.4.0 is exposed to a trivial DoS attack vector. The fix requires developers to explicitly update their dependencies, as automated patch management systems may not immediately apply the new version. The incident underscores the persistent risk posed by inherited vulnerabilities in foundational open-source components and the critical need for proactive dependency monitoring.