Node-Forge 1.4.0 Patches Critical DoS Flaw in `BigInteger.modInverse()` (CVE-2026-33891)

The node-forge cryptography library has released version 1.4.0 to patch a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled jsbn library. When this function is called with a zero value as input, it triggers an infinite loop within the Extended Euclidean Algorithm. This unreachable exit condition causes the Node.js process to hang indefinitely and consume 100% CPU, creating a straightforward vector for service disruption.

The vulnerability was reported by a researcher known as Kr0emer and has been assigned a GitHub Security Advisory (GHSA). The node-forge library, maintained by Digital Bazaar, is a widely used JavaScript implementation of cryptographic tools for TLS and other networking protocols in Node.js environments. Its integration into numerous downstream projects and dependencies means this security update carries significant weight for the ecosystem.

This patch is a mandatory update for any project relying on node-forge versions prior to 1.4.0. Developers must bump their dependency to the latest version to mitigate the risk of targeted DoS attacks. The fix highlights the persistent security challenges within foundational cryptographic dependencies and underscores the critical need for proactive dependency management to prevent cascading service failures.