Node-Forge 1.4.0 Patches Critical DoS Flaw (CVE-2026-33891) in `BigInteger.modInverse()`

A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the Node.js process to hang indefinitely and consume 100% CPU resources.

The vulnerability, rated HIGH severity, was reported by a researcher known as Kr0emer. The issue is addressed in the newly released version 1.4.0 of `node-forge`. The changelog explicitly warns that the infinite loop condition could be triggered by any code path that calls the vulnerable function with a zero argument, posing a significant risk to the availability of any application or service that depends on this library for cryptographic operations.

This patch is a mandatory update for all projects using `node-forge`. The library is a foundational component for TLS, SSH, and other cryptographic tasks in the Node.js ecosystem, making its security critical. Developers are under immediate pressure to upgrade from version 1.3.3 or earlier to version 1.4.0 to mitigate the risk of service disruption. The advisory, linked via a GHSA ID, provides the official remediation path, signaling that this vulnerability is now publicly known and actively being addressed in downstream dependencies.