Critical DoS Flaw in node-forge 1.3.3: Infinite Loop in `BigInteger.modInverse()` Triggers 100% CPU Hang

A high-severity Denial of Service (DoS) vulnerability has been patched in the widely used `node-forge` cryptography library. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function inherited from the bundled jsbn library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. This creates a straightforward vector for resource exhaustion attacks against any application or service that uses the vulnerable library.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer and has been addressed in the newly released node-forge version 1.4.0. The library is a critical dependency for numerous web applications, tools, and services that handle cryptographic operations, including TLS/SSL, digital signatures, and certificate generation. The flaw's simplicity—triggered by a single, specific input—makes it a significant operational risk for unpatched systems.

This security update is a mandatory patch for all downstream projects. The GitHub advisory (GHSA) confirms the fix. Organizations and developers must immediately upgrade their dependencies from node-forge 1.3.3 or earlier to version 1.4.0 to mitigate the risk of service disruption. Failure to patch leaves systems vulnerable to a trivial attack that can cripple application performance and availability.