Node-Forge 1.4.0 Patches Critical DoS Flaw in `BigInteger.modInverse()` (CVE-2026-33891)

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled jsbn library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% of CPU resources.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in the newly released version 1.4.0 of `node-forge`, which is published by Digital Bazaar. The changelog explicitly lists this as a security fix, underscoring its critical nature for any application or service that depends on this library for cryptographic operations, including TLS/SSL, X.509 certificates, and other PKI functions.

This patch is a mandatory update for developers and organizations. The infinite loop presents a straightforward vector for resource exhaustion attacks, potentially crippling servers or applications that process untrusted input. Given `node-forge`'s role as a foundational component in the JavaScript and Node.js ecosystem, the vulnerability's impact is broad, affecting countless web services, APIs, and backend systems. Failure to upgrade leaves systems exposed to a simple, high-impact attack that can lead to complete service unavailability.