Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% of CPU resources.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in the newly released version 1.4.0 of `node-forge`. The library is a fundamental component for cryptographic operations in thousands of JavaScript and Node.js applications, making this patch a high-priority update for development and security teams.

This security fix signals immediate pressure on organizations to audit their dependency trees and upgrade any instances of `node-forge` from version 1.3.1 or earlier. The silent, resource-exhausting nature of the flaw means it could be exploited to cripple backend services or CI/CD pipelines without triggering typical crash logs, presenting a significant operational risk. The advisory underscores the persistent security challenges within foundational open-source software dependencies.