Critical DoS Vulnerability in node-forge (CVE-2026-33891) Prompts Urgent Dependency Update

A high-severity Denial of Service (DoS) vulnerability has been disclosed in the widely used `node-forge` cryptography library, forcing development teams to urgently update dependencies. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function. When called with a zero value as input, the function triggers an infinite loop in the underlying Extended Euclidean Algorithm, causing the affected Node.js process to hang indefinitely and consume 100% CPU resources. This creates a straightforward vector for attackers to crash applications that rely on this library for cryptographic operations.

The vulnerability was reported by a researcher known as Kr0emer and is addressed in `node-forge` version 1.4.0, released on March 24, 2026. The update patches the inherited bug from the bundled `jsbn` library. The security advisory is classified as HIGH severity, indicating a significant risk to system availability. The changelog for the fix is publicly available on the project's GitHub repository, maintained by Digital Bazaar.

This incident underscores the persistent security risks embedded within the software supply chain, particularly in foundational cryptographic modules. Organizations using `node-forge` in versions prior to 1.4.0, especially within automated dependency management groups like `npm_and_yarn`, must prioritize this update to mitigate the immediate DoS risk. Failure to patch leaves applications vulnerable to trivial attacks that can lead to service disruption and resource exhaustion.