Node-Forge 1.4.0 Patches Critical DoS Flaw in `BigInteger.modInverse()` (CVE-2026-33891)

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% of CPU resources.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in the newly released version 1.4.0 of `node-forge`. The changelog explicitly warns developers of the risk, stating that the infinite loop could lead to a complete service outage for any application that triggers the vulnerable code path.

This patch is a mandatory update for the vast ecosystem of JavaScript and Node.js applications that depend on `node-forge` for cryptographic operations, including TLS, SSH, and X.509 certificate handling. The library is a transitive dependency for thousands of projects. Failure to upgrade leaves systems exposed to a trivial attack vector where an attacker could send crafted input to trigger the infinite loop, causing resource exhaustion and unresponsive services. The advisory underscores the ongoing pressure on open-source maintainers to rapidly address foundational security flaws in critical infrastructure libraries.