Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When called with a zero value as input, the function's internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely while consuming 100% CPU. This creates a straightforward vector for resource exhaustion attacks.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The fix is included in the newly released `node-forge` version 1.4.0, which jumps from the previous 0.10.0 release. The changelog explicitly highlights this security patch as the primary feature of the update, underscoring its critical nature. `node-forge` is a foundational library for cryptographic operations in the Node.js ecosystem, used by thousands of applications for tasks like TLS, SSH, and digital signatures.

This patch triggers a mandatory dependency bump for any project relying on `node-forge`. Developers and security teams must prioritize upgrading to version 1.4.0 or later to mitigate the risk of service disruption. The vulnerability's simplicity—triggered by a single malformed input—makes it a high-priority fix, especially for public-facing services or applications processing untrusted data. Failure to update leaves systems exposed to a trivial, yet effective, DoS attack that can cripple application availability.