Node-Forge 1.4.0 Patches Critical DoS Flaw in `BigInteger.modInverse()` (CVE-2026-33891)

The node-forge cryptography library has released version 1.4.0 to patch a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled jsbn library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. This creates a straightforward vector for resource exhaustion attacks against any application or service that uses the vulnerable library.

The vulnerability was reported by a researcher known as Kr0emer and is detailed in GitHub Security Advisory GHSA-... (truncated in source). The node-forge library, maintained by Digital Bazaar, is a widely used JavaScript implementation of cryptographic tools for Node.js and browsers, making this patch critical for a vast ecosystem of web applications, APIs, and backend services. The update from version 1.3.2 to 1.4.0 is the sole mitigation for this specific security issue.

This patch places immediate pressure on development and security teams to audit their dependency trees and upgrade promptly. Any delayed integration leaves systems exposed to a simple, high-impact attack that could cripple service availability. The fix underscores the persistent security risks within foundational cryptographic dependencies and the cascading operational impact when a core library in the JavaScript/Node.js stack requires an urgent update.