Node-Forge 1.4.0 Patches Critical DoS Flaw in `BigInteger.modInverse()` (CVE-2026-33891)

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% CPU resources.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in the newly released version 1.4.0 of `node-forge`. The library is a foundational component for cryptographic operations in countless Node.js applications, including those handling TLS, SSH, and digital signatures. The specific function at risk is used in various public-key cryptography operations, making the potential impact broad.

This patch is a mandatory update for any project or service that depends on `node-forge`. The infinite loop presents a clear vector for resource exhaustion attacks, where an attacker could trigger the condition to crash or severely degrade application performance. Developers are urged to immediately bump their dependency from version 1.3.3 or earlier to 1.4.0 to mitigate this risk. The advisory and fix were published by the maintainers, Digital Bazaar, on March 24, 2026.