Critical DoS Flaw in node-forge Library (CVE-2026-33891) Prompts Urgent Update to v1.4.0

A critical security vulnerability in the widely-used `node-forge` cryptography library has been disclosed, prompting an urgent update to version 1.4.0. The flaw, rated HIGH severity, is a Denial of Service (DoS) vulnerability within the `BigInteger.modInverse()` function. When called with a zero value, the function enters an infinite loop, causing the Node.js process to hang indefinitely and consume 100% CPU resources. This vulnerability originates from the bundled `jsbn` library code.

The issue, tracked as CVE-2026-33891, was reported by a researcher known as Kr0emer. The `node-forge` library is a fundamental component for cryptographic operations in thousands of JavaScript and Node.js applications, making this vulnerability a significant supply chain risk. The flaw is present in version 1.3.1 and earlier. The maintainers, Digital Bazaar, have released version 1.4.0 to patch this specific security hole, as detailed in the project's changelog.

This disclosure triggers immediate action for development and security teams managing applications dependent on `node-forge`. Any project using the vulnerable version is exposed to a trivial DoS attack vector that could crash services. The fix requires explicitly updating the dependency, as seen in automated pull requests from tools like Dependabot. The widespread adoption of this library means the vulnerability's impact is potentially extensive, affecting web servers, API backends, and any Node.js process performing cryptographic operations with forge. Organizations must prioritize updating to v1.4.0 to mitigate the risk of service disruption.