Node-Forge 1.4.0 Patches Critical DoS Flaw in `BigInteger.modInverse()` (CVE-2026-33891)

The node-forge cryptography library has released version 1.4.0 to patch a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled jsbn library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% CPU resources. This creates a straightforward vector for attackers to crash or paralyze dependent applications.

The vulnerability was reported by a researcher known as Kr0emer and has been assigned a HIGH severity rating by the maintainers. The issue is specific to the `modInverse()` method, a core mathematical operation used in various cryptographic implementations. The patch in version 1.4.0 resolves the infinite loop, preventing the DoS condition. The changelog for the release explicitly documents this security fix, highlighting its critical nature.

This update is a mandatory security patch for the vast ecosystem of Node.js applications and services that depend on the `node-forge` library for cryptographic operations, including TLS, SSH, and digital signatures. Failure to upgrade leaves systems vulnerable to a trivial, resource-exhaustion attack that can be triggered remotely depending on how the library is integrated. Developers are under immediate pressure to bump their dependency to version 1.4.0 or later to mitigate this risk.