Node-Forge 1.4.0 Patches Critical DoS Flaw: Infinite Loop in `BigInteger.modInverse()` (CVE-2026-33891)

A critical Denial of Service (DoS) vulnerability has been patched in the widely-used Node.js cryptography library, node-forge. The flaw, rated HIGH severity, resides in the `BigInteger.modInverse()` function and can cause a process to hang indefinitely, consuming 100% CPU. This creates a direct vector for resource exhaustion attacks against any application or service that processes untrusted input using this specific cryptographic function.

The vulnerability stems from an infinite loop condition inherited from the bundled `jsbn` library. When `modInverse()` is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition. The issue, tracked as CVE-2026-33891 and GHSA-..., was reported by researcher Kr0emer. The patch is included in node-forge version 1.4.0, released on March 24, 2026, which upgrades the library from version 1.3.3.

This security update is critical for developers and organizations relying on node-forge for TLS, SSH, X.509 certificates, or other cryptographic operations in JavaScript. The library is a foundational dependency for numerous npm packages and backend services. Failure to upgrade leaves systems vulnerable to trivial DoS attacks where an attacker can submit a crafted zero-value input to trigger the infinite loop, potentially crashing Node.js processes and disrupting service availability. The fix underscores the persistent security risks within deeply nested dependency chains, especially in core cryptographic primitives.